Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.
Published: 2026-05-14
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Gotenberg allows an attacker to bypass the ExifTool metadata write blocklist by exploiting the tool’s group‑prefix syntax. This bypass enables creation or modification of arbitrary files on the host, including renaming, moving, hardlinking, or symlinking anything within the container’s filesystem. The operation also permits changing file permissions, owner, and group without any prefix restriction. As a result, an attacker who can submit a PDF to the API can alter or create files that may compromise the application, inject malicious code, or facilitate further exploitation.

Affected Systems

All versions of Gotenberg before 8.30.0 are affected. This includes deployments where the Gotenberg Docker image is used to provide PDF generation services. The vulnerability has been fixed by updating to version 8.30.0 or later; no other vendor or product versions are reported to be impacted.

Risk and Exploitability

The CVSS score of 8.2 classifies this as high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread, known exploits are documented. However, the exposed API typically permits remote users to upload files, making the attack vector likely remote. An attacker could therefore remotely gain the ability to manipulate files on the host, potentially leading to service disruption or unauthorized code execution depending on the application’s privilege boundaries.

Generated by OpenCVE AI on May 14, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gotenberg deployment to version 8.30.0 or later to apply the vendor fix.
  • If an immediate upgrade is not possible, limit access to the Gotenberg API to trusted IP ranges or internal networks to reduce exposure.
  • Configure the container to run as a non‑privileged user and set strict filesystem permissions to restrain the effect of any remaining file manipulation capabilities.

Generated by OpenCVE AI on May 14, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7v3r-m9c8-r855 Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
History

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.
Title Gotenberg: ExifTool group-prefix syntax bypasses dangerous-tag blocklist
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:36:30.386Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42590

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:22.010

Modified: 2026-05-14T16:28:04.847

Link: CVE-2026-42590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:30:15Z

Weaknesses