CVE-2026-42590

8.2 HIGH

Gotenberg is a Docker-powered stateless API for PDF files

Published: 2026-05-14 · Last updated: 2026-05-18

Severity and scoring

CVSS: 8.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CWE: CWE-184

Affected products

Vendor	Product
thecodingmachine	gotenberg

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42590
[Vendor advisory]https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855
[Vendor advisory]https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855

Related CVEs

Same vendor

CVE-2026-42597 — Gotenberg is a Docker-powered stateless API for PDF files (5.9 MEDIUM)
CVE-2026-42596 — Gotenberg is a Docker-powered stateless API for PDF files (9.4 CRITICAL)
CVE-2026-42595 — Gotenberg is a Docker-powered stateless API for PDF files (8.6 HIGH)
CVE-2026-42594 — Gotenberg is a Docker-powered stateless API for PDF files (7.5 HIGH)
CVE-2026-42593 — Gotenberg is a Docker-powered stateless API for PDF files (5.3 MEDIUM)

Same CWE

CVE-2026-53864 — OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js contr... (8.1 HIGH)
CVE-2026-53861 — OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-com... (6.6 MEDIUM)
CVE-2026-53855 — OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks ... (8.1 HIGH)
CVE-2026-53848 — OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side ... (4.3 MEDIUM)
CVE-2026-53836 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to exec... (8.8 HIGH)