Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.
Published: 2026-05-14
Score: 9.8 Critical
EPSS: 8.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Gotenberg allows an attacker to perform remote code execution by exploiting the lack of validation on JSON metadata keys sent to the /forms/pdfengines/metadata/write endpoint. By embedding a newline within a key, the payload is split into a new argument line for ExifTool, enabling malicious flags such as -if that execute arbitrary Perl expressions. This flaw can be triggered in a single HTTP request and results in a normal HTTP 200 response containing a PDF, making detection difficult. The CVSS score for this issue is 9.8 and the associated CWE is 78.

Affected Systems

Affected products include the Gotenberg containerized PDF API, with all versions prior to 8.31.0 vulnerable. The issue is specific to the /forms/pdfengines/metadata/write endpoint used by the go-exiftool library.

Risk and Exploitability

Given its high severity CVSS score and the availability of an official patch in 8.31.0, this flaw poses a critical risk to unprotected instances. The EPSS score is 0.08768%, indicating a very low probability of exploitation. Being unauthenticated, the attack can be attempted by anyone with network access. The vulnerability is not currently listed in the CISA KEV catalog, but its exploitation would likely generate false‑positive monitoring traffic due to the benign 200 response.

Generated by OpenCVE AI on June 2, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.31.0 or later, where the bug is fixed.
  • Restrict or disable the /forms/pdfengines/metadata/write endpoint for unauthenticated traffic until the patch is applied.
  • Implement or enforce sanitization of metadata keys to strip newline characters or limit allowed characters before processing by ExifTool.

Generated by OpenCVE AI on June 2, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rqgh-gxv4-6657 Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
History

Mon, 18 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Thecodingmachine
Thecodingmachine gotenberg
CPEs cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*
Vendors & Products Thecodingmachine
Thecodingmachine gotenberg

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.
Title Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gotenberg Gotenberg
Thecodingmachine Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:59:21.125Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42589

cve-icon Vulnrichment

Updated: 2026-05-14T18:58:28.132Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T16:16:21.867

Modified: 2026-05-18T13:01:53.730

Link: CVE-2026-42589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:45:06Z

Weaknesses