CVE-2026-42590

HIGH 8.2

Gotenberg: ExifTool group-prefix syntax bypasses dangerous-tag blocklist

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

0th

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.

CWE	CWE-184
Vendor	gotenberg
Product	gotenberg
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for gotenberg gotenberg

Be the first to know when new high vulnerabilities affecting gotenberg gotenberg are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

gotenberg / gotenberg

< 8.30.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855