cbcvebase.
CVE-2026-42589
published 2026-05-14

CVE-2026-42589: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.95%
85.4th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
gotenberggotenberg< 8.31.08.31.0
thecodingmachinegotenberg< 8.31.08.31.0

Detection & IOCsextracted from sources · hover to see the quote

url/forms/pdfengines/metadata/write
command{"Title\n-if\nsystem('sleep 6')||1\n-Comment":"x"}
other------WebKitFormBoundary{{randstr}}
  • Detect HTTP POST requests to /forms/pdfengines/metadata/write containing newline characters (\n) within JSON key names — this is the injection vector splitting ExifTool stdin into new argument lines.
  • Look for the ExifTool flag -if followed by Perl expressions (e.g., system(...)) injected via newline-delimited JSON keys in the metadata field of multipart form requests.
  • The attack returns HTTP 200 with a valid PDF on success, making status-code-only monitoring ineffective. Correlate with anomalous process execution (e.g., sleep, shell commands) spawned from the ExifTool/Gotenberg process tree.
  • Nuclei/scanner detection logic: match status_code == 500 AND duration >= 6 seconds on the /forms/pdfengines/metadata/write endpoint when using a time-based payload (sleep 6).
  • ·The vulnerability exists only in Gotenberg versions prior to 8.31.0. Instances running 8.31.0 or later are not affected.
  • ·The endpoint requires no authentication, meaning any network-reachable Gotenberg instance is exploitable without credentials in a single HTTP request.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.