PatchSiren cyber security CVE debrief
CVE-2026-40893 Thecodingmachine CVE debrief
CVE-2026-40893 is a high-severity vulnerability in Gotenberg, a Docker-powered stateless API for PDF files. The issue stems from an incomplete validation of ExifTool metadata tags. Prior to version 8.31.0, Gotenberg only checked for an exact match of the tag name `FileName`, allowing the variant `System:FileName` to bypass validation. ExifTool would then process this tag, enabling remote attackers to move, rename, and modify permissions on arbitrary files on the system. The vulnerability was published on May 14, 2026, and last modified on May 18, 2026. It has been assigned a CVSS 3.1 score of 8.2 (HIGH). The vendor, Thecodingmachine, has released version 8.31.0 to address this issue. The weakness is categorized under CWE-73 (External Control of File Name or Path) and CWE-184 (Incomplete List of Disallowed Inputs).
- Vendor
- Thecodingmachine
- Product
- Gotenberg
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-18
Who should care
Organizations running Gotenberg PDF conversion services, particularly those exposed to untrusted user input or operating in multi-tenant environments. DevOps teams managing containerized document processing pipelines should prioritize patching.
Technical summary
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Gotenberg to version 8.31.0 or later to remediate this vulnerability.
- Review file system permissions and access controls on systems running Gotenberg to limit potential impact.
- Monitor for unusual file operations or permission changes on Gotenberg hosts.
- If immediate patching is not possible, consider restricting network access to Gotenberg instances to trusted sources only.
Evidence notes
The vulnerability description and affected versions are sourced from the NVD record and GitHub Security Advisory. The CVSS vector confirms network attack vector with low complexity, no privileges required, and high impact to integrity with low availability impact.
Official resources
-
CVE-2026-40893 CVE record
CVE.org
-
CVE-2026-40893 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
The vulnerability was disclosed through GitHub Security Advisories and subsequently published in the NVD. The vendor has acknowledged the issue and provided a patched release.