Vulnerability Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Thecodingmachine | Gotenberg | < 8.31.0 |
Related Weaknesses (CWE)
References
- https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657ExploitMitigationVendor Advisory
- https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-42589?
CVE-2026-42589 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to Ex...
How severe is CVE-2026-42589?
CVE-2026-42589 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-42589?
Check the references section above for vendor advisories and patch information. Affected products include: Thecodingmachine Gotenberg.