CVE-2026-42589
published 2026-05-14CVE-2026-42589: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.95%
85.4th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gotenberg | gotenberg | < 8.31.0 | 8.31.0 |
| thecodingmachine | gotenberg | < 8.31.0 | 8.31.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /forms/pdfengines/metadata/write containing newline characters (\n) within JSON key names — this is the injection vector splitting ExifTool stdin into new argument lines. ↗
- →Look for the ExifTool flag -if followed by Perl expressions (e.g., system(...)) injected via newline-delimited JSON keys in the metadata field of multipart form requests. ↗
- →The attack returns HTTP 200 with a valid PDF on success, making status-code-only monitoring ineffective. Correlate with anomalous process execution (e.g., sleep, shell commands) spawned from the ExifTool/Gotenberg process tree. ↗
- →Nuclei/scanner detection logic: match status_code == 500 AND duration >= 6 seconds on the /forms/pdfengines/metadata/write endpoint when using a time-based payload (sleep 6). ↗
- ·The vulnerability exists only in Gotenberg versions prior to 8.31.0. Instances running 8.31.0 or later are not affected. ↗
- ·The endpoint requires no authentication, meaning any network-reachable Gotenberg instance is exploitable without credentials in a single HTTP request. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gotenberg up to 8.30.x HTTP Endpoint write os command injection (GHSA-rqgh-gxv4-6657)
vuldb·2026-05-14·CVSS 9.8
CVE-2026-42589 [CRITICAL] Gotenberg up to 8.30.x HTTP Endpoint write os command injection (GHSA-rqgh-gxv4-6657)
A vulnerability, which was classified as critical, was found in Gotenberg up to 8.30.x. Impacted is an unknown function of the file /forms/pdfengines/metadata/write of the component HTTP Endpoint. The manipulation results in os command injection.
This vulnerability was named CVE-2026-42589. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
GHSA
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
ghsa·2026-05-07
CVE-2026-42589 [CRITICAL] CWE-78 Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
# Unauthenticated RCE in Gotenberg via Metadata Key Newline Injection
## Summary
Gotenberg's `/forms/pdfengines/metadata/write` HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A `\n` embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including `-if`, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring.
## Vulnerability Details
| Field | Value |
|------------------|----
VulnCheck
thecodingmachine gotenberg Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2026·CVSS 9.8
CVE-2026-42589 [CRITICAL] thecodingmachine gotenberg Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
thecodingmachine gotenberg Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A
embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0
No detection rules found.
Nuclei
Gotenberg - Command Injection
nuclei·CVSS 9.8
CVE-2026-42589 [CRITICAL] Gotenberg - Command Injection
Gotenberg - Command Injection
Gotenberg >
endobj
2 0 obj
>
endobj
3 0 obj
>
endobj
xref
0 4
0000000000 65535 f
0000000009 00000 n
0000000058 00000 n
0000000115 00000 n
trailer
>
startxref
186
%%EOF
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="metadata"
{"Title\n-if\nsystem('sleep 6')||1\n-Comment":"x"}
------WebKitFormBoundary{{randstr}}--
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code == 500"
- "duration >= 6"
condition: and
# digest: 4b0a00483046022100f41b7549afc655757231c895af1d41b39461c5505a992295eabd2d02e29a02f10221008d913c7aa974654c6c1c9da4763d23802f4884c4f8ce167148297b3e7a1f9c59:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2026-05-14
Published
Exploited in the wild