PatchSiren cyber security CVE debrief
CVE-2026-42590 Thecodingmachine CVE debrief
CVE-2026-42590 affects Gotenberg before 8.30.0. A metadata-write blocklist in the ExifTool integration can be bypassed using ExifTool group-prefix syntax, and some pseudo-tags were not blocked at all. The result is unauthorized file manipulation on the server, with integrity impact and limited availability impact.
- Vendor
- Thecodingmachine
- Product
- Gotenberg
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-18
Who should care
Operators of Gotenberg deployments that process untrusted documents or metadata, especially if the service has meaningful filesystem access in production.
Technical summary
The issue is a validation and filtering failure in Gotenberg's ExifTool metadata write handling. ExifTool accepts group-prefixed tag names such as File:FileName, where the prefix is stripped before tag matching. Gotenberg's safeKeyPattern allows colons, so prefixed names pass validation and can evade the intended blocklist. The advisory also states that FilePermissions, FileUserID, and FileGroupID pseudo-tags were not blocked, allowing file attribute changes without needing a prefix. NVD lists the impact as network-reachable, unauthenticated, and requiring no user interaction, with high integrity impact and low availability impact; the fixed version is 8.30.0.
Defensive priority
High. The vulnerability is remotely reachable, requires no privileges or user interaction, and can directly affect server files. Because the outcome includes unauthorized rename, move, hardlink, and symlink creation, prioritize rapid upgrade and exposure reduction.
Recommended defensive actions
- Upgrade Gotenberg to 8.30.0 or later.
- Review any workflows that accept untrusted uploads or metadata and restrict them until patched.
- Run Gotenberg with least-privilege filesystem permissions and isolate writable paths.
- Monitor conversion and staging directories for unexpected file rename, move, hardlink, symlink, or permission changes.
- Confirm that any exposed document-processing endpoints are not reachable by unauthenticated callers.
Evidence notes
The GitHub Security Advisory states that the ExifTool metadata write blocklist can be bypassed with group-prefix syntax and that FilePermissions, FileUserID, and FileGroupID were not blocked. The NVD record confirms the affected range ends before 8.30.0 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L, consistent with a high-severity integrity-focused issue.
Official resources
-
CVE-2026-42590 CVE record
CVE.org
-
CVE-2026-42590 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Publicly disclosed on 2026-05-14 and updated on 2026-05-18; fixed in Gotenberg 8.30.0.