CVE-2026-40281
Gotenberg PDF Metadata Injection via ExifTool
Publication date: 2026-05-06
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thecodingmachine | gotenberg | to 8.31.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-40281 allows an unauthenticated attacker to rename, move, overwrite, or create symlinks and hard links to arbitrary files within the container filesystem, potentially leading to unauthorized modification or destruction of data.
Such unauthorized access and manipulation of files can compromise data integrity and availability, which are critical aspects of compliance with standards like GDPR and HIPAA that require protection of sensitive data and system integrity.
Because the vulnerability enables attackers to overwrite critical system files and manipulate PDF files being processed, it could lead to breaches of confidentiality, integrity, and availability obligations mandated by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your Gotenberg instance is running version 8.30.1 or earlier, as these versions are affected by the metadata value injection issue.
Since the vulnerability exploits newline characters in metadata values passed to ExifTool, you can monitor or log API requests to the metadata write endpoint for suspicious metadata values containing newline characters or other control characters.
Commands to detect potential exploitation attempts could include searching logs for newline characters in metadata values or unusual ExifTool arguments.
- Use grep or similar tools to search logs for newline characters in metadata values, e.g., `grep -P '\n' /path/to/gotenberg/logs`.
- Monitor running processes or container activity for unexpected file renaming, moving, or creation of symlinks/hard links in the container filesystem.
- Check for unexpected files or symlinks in the container filesystem that could indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Gotenberg to a version that includes the fix for this vulnerability, which involves sanitizing metadata values to reject control characters such as newlines.
Until an upgrade is possible, you should restrict access to the metadata write endpoint to trusted users or networks to prevent unauthenticated exploitation.
Additionally, implement input validation or filtering on metadata values before they reach Gotenberg to block control characters.
Review and monitor container filesystem permissions and activity to detect and prevent unauthorized file modifications.
Can you explain this vulnerability to me?
This vulnerability exists in Gotenberg, a Docker-powered stateless API for PDF files, specifically in versions 8.30.1 and earlier. The issue is that while the metadata write endpoint validates metadata keys for control characters, it does not sanitize metadata values. An attacker can insert a newline character in a metadata value, which causes the ExifTool stdin line to split into two separate arguments. This allows the attacker to inject arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink.
As a result, an unauthenticated attacker can rename or move any PDF being processed to an arbitrary path within the container filesystem, overwrite arbitrary files, or create symbolic and hard links at arbitrary locations. This bypasses the incomplete key-sanitization fix introduced in version 8.30.1.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an unauthenticated attacker to perform unauthorized file operations within the container filesystem. Specifically, the attacker can:
- Rename or move any PDF file being processed to arbitrary locations.
- Overwrite arbitrary files within the container.
- Create symbolic links and hard links at arbitrary paths.
Such capabilities can lead to integrity and availability issues, potentially allowing attackers to manipulate files, disrupt service, or escalate attacks within the container environment.