CVE-2026-42589 gotenberg CVE debrief

Who should care

Organizations running Gotenberg PDF conversion services, particularly those exposed to untrusted network traffic or processing user-supplied documents. DevOps teams managing containerized document processing pipelines. Security operations centers monitoring for API abuse in document conversion workflows.

Technical summary

The vulnerability exists in Gotenberg's metadata writing functionality, which uses ExifTool for PDF metadata manipulation. The go-exiftool library passes JSON metadata keys directly to ExifTool's stdin without sanitization. By crafting a JSON key containing a newline character followed by ExifTool flags, an attacker can escape the intended argument context and inject arbitrary command-line options. The -if flag is particularly dangerous as it evaluates Perl expressions, enabling arbitrary code execution. The vulnerability is network-accessible, requires no authentication, and produces no visible error conditions, making it suitable for automated exploitation.

Defensive priority

critical

Recommended defensive actions

• Upgrade Gotenberg to version 8.31.0 or later immediately
• If immediate patching is not possible, restrict network access to the Gotenberg service to trusted hosts only
• Monitor for anomalous HTTP requests to /forms/pdfengines/metadata/write containing newline characters in JSON keys
• Review application logs for unexpected process execution or outbound connections from Gotenberg containers
• Implement Web Application Firewall rules to detect and block requests with suspicious metadata key patterns

Evidence notes

Vendor advisory confirms exploitation via crafted JSON metadata with embedded newlines to inject ExifTool flags. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H supports critical severity. CPE range confirms all versions below 8.31.0 are vulnerable.

Official resources