PT-2026-38380 · Gotenberg · Gotenberg
S-Senhaji
·
Published
2026-05-07
·
Updated
2026-06-25
·
CVE-2026-42589
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gotenberg versions prior to 8.31.0
Description
An unauthenticated remote attacker can achieve OS command execution via the '/forms/pdfengines/metadata/write' endpoint. The application accepts a JSON metadata object and passes its keys to ExifTool without validating for control characters. By embedding a newline character (
) within a JSON key, an attacker can split the input stream to inject arbitrary ExifTool flags. Specifically, the -if flag can be used to evaluate Perl expressions, leading to arbitrary code execution. The attack is transparent to basic monitoring as the server returns an HTTP 200 response with a valid PDF.Recommendations
Update to version 8.31.0.
As a temporary mitigation, restrict access to the '/forms/pdfengines/metadata/write' endpoint or place the service behind an authenticated reverse proxy to prevent untrusted access to port 3000.
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gotenberg