Executive Summary

This vulnerability exists in Gotenberg, a Docker-powered stateless API for PDF files, specifically in versions 8.30.1 and earlier. The issue is that while the metadata write endpoint validates metadata keys for control characters, it does not sanitize metadata values. An attacker can insert a newline character in a metadata value, which causes the ExifTool stdin line to split into two separate arguments. This allows the attacker to inject arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink.

As a result, an unauthenticated attacker can rename or move any PDF being processed to an arbitrary path within the container filesystem, overwrite arbitrary files, or create symbolic and hard links at arbitrary locations. This bypasses the incomplete key-sanitization fix introduced in version 8.30.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated attacker to perform unauthorized file operations within the container filesystem. Specifically, the attacker can:

• Rename or move any PDF file being processed to arbitrary locations.
• Overwrite arbitrary files within the container.
• Create symbolic links and hard links at arbitrary paths.

Such capabilities can lead to integrity and availability issues, potentially allowing attackers to manipulate files, disrupt service, or escalate attacks within the container environment.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-40281 allows an unauthenticated attacker to rename, move, overwrite, or create symlinks and hard links to arbitrary files within the container filesystem, potentially leading to unauthorized modification or destruction of data.

Such unauthorized access and manipulation of files can compromise data integrity and availability, which are critical aspects of compliance with standards like GDPR and HIPAA that require protection of sensitive data and system integrity.

Because the vulnerability enables attackers to overwrite critical system files and manipulate PDF files being processed, it could lead to breaches of confidentiality, integrity, and availability obligations mandated by these regulations.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if your Gotenberg instance is running version 8.30.1 or earlier, as these versions are affected by the metadata value injection issue.

Since the vulnerability exploits newline characters in metadata values passed to ExifTool, you can monitor or log API requests to the metadata write endpoint for suspicious metadata values containing newline characters or other control characters.

Commands to detect potential exploitation attempts could include searching logs for newline characters in metadata values or unusual ExifTool arguments.

• Use grep or similar tools to search logs for newline characters in metadata values, e.g., `grep -P '\n' /path/to/gotenberg/logs`.
• Monitor running processes or container activity for unexpected file renaming, moving, or creation of symlinks/hard links in the container filesystem.
• Check for unexpected files or symlinks in the container filesystem that could indicate exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Gotenberg to a version that includes the fix for this vulnerability, which involves sanitizing metadata values to reject control characters such as newlines.

Until an upgrade is possible, you should restrict access to the metadata write endpoint to trusted users or networks to prevent unauthenticated exploitation.

Additionally, implement input validation or filtering on metadata values before they reach Gotenberg to block control characters.

Review and monitor container filesystem permissions and activity to detect and prevent unauthorized file modifications.

Useful 0 Not Useful 0