Vulnerability Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Thecodingmachine | Gotenberg | < 8.30.0 |
Related Weaknesses (CWE)
References
- https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855ExploitVendor Advisory
- https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855ExploitVendor Advisory
FAQ
What is CVE-2026-42590?
CVE-2026-42590 is a vulnerability with a CVSS score of 8.2 (HIGH). Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary ...
How severe is CVE-2026-42590?
CVE-2026-42590 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-42590?
Check the references section above for vendor advisories and patch information. Affected products include: Thecodingmachine Gotenberg.