Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.
References
| Link | Resource |
|---|---|
| https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855 | Exploit Vendor Advisory |
| https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855 | Exploit Vendor Advisory |
Configurations
History
18 May 2026, 12:15
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Thecodingmachine gotenberg
Thecodingmachine |
|
| CPE | cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:* | |
| References | () https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855 - Exploit, Vendor Advisory |
15 May 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855 - |
14 May 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-14 16:16
Updated : 2026-05-18 12:15
NVD link : CVE-2026-42590
Mitre link : CVE-2026-42590
CVE.ORG link : CVE-2026-42590
JSON object : View
Products Affected
thecodingmachine
- gotenberg
CWE
CWE-184
Incomplete List of Disallowed Inputs