CVE-2026-42590
published 2026-05-14CVE-2026-42590: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's…
PriorityP349high8.2CVSS 3.1
AVNACLPRNUINSUCNIHAL
EPSS
0.29%
20.7th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | 0 – 8.29.1 | — |
| gotenberg | gotenberg | < 8.30.0 | 8.30.0 |
| thecodingmachine | gotenberg | < 8.30.0 | 8.30.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gotenberg up to 8.29.x PDF File Writer.pl File:FileName incomplete blacklist (GHSA-7v3r-m9c8-r855)
vuldb·2026-05-14·CVSS 8.2
CVE-2026-42590 [HIGH] Gotenberg up to 8.29.x PDF File Writer.pl File:FileName incomplete blacklist (GHSA-7v3r-m9c8-r855)
A vulnerability has been found in Gotenberg up to 8.29.x and classified as critical. The affected element is an unknown function of the file Writer.pl of the component PDF File Handler. This manipulation of the argument File:FileName causes incomplete blacklist.
The identification of this vulnerability is CVE-2026-42590. It is possible to initiate the attack remotely. There is no exploit available.
The affected component should be upgraded.
GHSA
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
ghsa·2026-05-07
CVE-2026-42590 [HIGH] CWE-184 Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
**Summary**
The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m.
**Details**
The blocklist in `pkg/modules/exiftool/exiftool.go` filters four dangerous pseudo-tags (`FileName`, `Directory`, `HardLink`, `SymLink`) using `strings.EqualFold(key, tag)`. However, ExifTool supports group-prefix syntax where `File:FileName` is processed identically to `FileName` -- the prefix is stripped by `SetNewValue` in `Writer.pl` before tag matching.
The `safeKeyPattern` regex (`^[a-zA-Z0-9\-_.:]+$`) allows colons, so prefixed tag names pass
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published