CVE-2026-42589

CRITICAL 9.8

Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

CWE	CWE-78
Vendor	gotenberg
Product	gotenberg
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for gotenberg gotenberg

Be the first to know when new critical vulnerabilities affecting gotenberg gotenberg are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

gotenberg / gotenberg

< 8.31.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657