Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem. This vulnerability is fixed in 8.32.0.
Published: 2026-05-14
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits any anonymous caller to provide arbitrary file paths in stampExpression and watermarkExpression parameters of the merge, split, convert routes. PDF engine pdfcpu reads the specified PDF and composites it into the returned document, allowing the attacker to obtain the contents of any PDF that the Gotenberg process can access. This is a classic arbitrary file read, providing information disclosure. The weakness involves path traversal and ambiguous file type handling (CWE-22, CWE-73). The impact is limited to reading existing files; there is no remote code execution or privilege escalation.

Affected Systems

All Gotenberg installations running a version older than 8.32.0 are affected. The vendor’s product list indicates gotenberg:gotenberg. No specific version numbers are listed beyond the release that fixed the issue. Therefore any deployment using Gotenberg prior to the 8.32.0 release is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalogue. Attackers can exploit it by making the vulnerable API calls over the network; authentication is not required. The path information supplied by the caller is used directly without validation, so the attack requires no additional privileges. Consequently, the risk is primarily limited to potentially exposing sensitive PDF documents on the container file system if the container is not isolated.

Generated by OpenCVE AI on May 14, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.32.0 or later to apply the vendor patch.
  • If upgrading is not immediately possible, configure the container runtime to restrict the file system visibility of the Gotenberg process (e.g., run the service in a read‑only mount or a separate namespace).
  • Limit access to the PDF processing routes or enforce authentication so that only authorized users can specify stampExpression or watermarkExpression.

Generated by OpenCVE AI on May 14, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3cv5-q585-h563 Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
History

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem. This vulnerability is fixed in 8.32.0.
Title Gotenberg: Arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:31:27.284Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42593

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:22.450

Modified: 2026-05-14T16:28:04.847

Link: CVE-2026-42593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:30:15Z

Weaknesses