CVE-2026-40893

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.31.0

Description Gotenberg fails to properly validate metadata tags passed to ExifTool, a tool used for reading and writing image, audio, and video metadata. While the software blocks specific tags like FileName and Directory to prevent unauthorized file manipulation, it does not account for group prefixes. An attacker can use System:FileName or System:Directory to bypass these checks because the system only performs an exact match against the blocked names. Additionally, the FilePermissions tag is entirely missing from the blocklist.

This allows remote attackers to move, rename, and change permissions for arbitrary files within the container via a single HTTP request without authentication. This issue affects every endpoint that accepts the metadata field, including:

Vulnerable parameters include System:FileName, System:Directory, and FilePermissions within the metadata field.

Recommendations Update Gotenberg to version 8.31.0. As a temporary workaround, restrict access to the metadata parameter in all affected API endpoints to minimize the risk of exploitation.