CVE-2026-42590

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.30.0

Description The ExifTool metadata write blocklist can be bypassed using group-prefix syntax, allowing an attacker to perform arbitrary file rename, move, hardlink, and symlink creation on the server. The safeKeyPattern regex allows colons, enabling prefixed tag names like File:FileName to pass validation and be processed identically to the blocked tags. Additionally, the pseudo-tags FilePermissions, FileUserID, and FileGroupID are not blocked, allowing the modification of file attributes. This issue affects the '/forms/pdfengines/metadata/write' endpoint via the metadata parameter. In environments with mounted volumes or non-containerized setups, this can lead to arbitrary file read through symlink chaining and file overwrite via directory manipulation.

Recommendations Update to version 8.30.0.