PT-2026-38380 · Gotenberg · Gotenberg

S-Senhaji

·

Published

2026-05-07

·

Updated

2026-06-25

·

CVE-2026-42589

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.31.0
Description An unauthenticated remote attacker can achieve OS command execution via the '/forms/pdfengines/metadata/write' endpoint. The application accepts a JSON metadata object and passes its keys to ExifTool without validating for control characters. By embedding a newline character ( ) within a JSON key, an attacker can split the input stream to inject arbitrary ExifTool flags. Specifically, the -if flag can be used to evaluate Perl expressions, leading to arbitrary code execution. The attack is transparent to basic monitoring as the server returns an HTTP 200 response with a valid PDF.
Recommendations Update to version 8.31.0. As a temporary mitigation, restrict access to the '/forms/pdfengines/metadata/write' endpoint or place the service behind an authenticated reverse proxy to prevent untrusted access to port 3000.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42589
GHSA-RQGH-GXV4-6657
GO-2026-5636

Affected Products

Gotenberg