PatchSiren cyber security CVE debrief

CVE-2026-42593 Thecodingmachine CVE debrief

Gotenberg versions prior to 8.32.0 contain a path traversal vulnerability in PDF processing endpoints. Six API routes—pdfengines/merge, pdfengines/split, libreoffice/convert, and three chromium/convert variants—accept stampSource=pdf and watermarkSource=pdf parameters paired with user-controlled stampExpression and watermarkExpression paths. When no file is uploaded, these routes fail to sanitize the expression parameter, passing it directly to pdfcpu for file operations. This allows unauthenticated attackers to read arbitrary PDF files accessible to the Gotenberg process within the container filesystem. The dedicated stamp and watermark routes properly require file uploads for image or PDF sources, but these six conversion routes do not enforce equivalent validation. The vulnerability was published on 2026-05-14 and last modified on 2026-05-18.

Vendor: Thecodingmachine
Product: Gotenberg
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-18
Advisory published: 2026-05-14
Advisory updated: 2026-05-18

Who should care

Organizations running Gotenberg PDF conversion services in production, particularly those exposing instances to untrusted networks or processing documents from external sources. DevOps teams managing Gotenberg deployments via Docker or Kubernetes. Security teams monitoring for path traversal vulnerabilities in document processing pipelines.

Technical summary

The vulnerability stems from inconsistent input validation across Gotenberg's API surface. The dedicated /stamp and /watermark endpoints enforce file upload requirements when source type is image or PDF, but the conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/*) only overwrite the stampExpression/watermarkExpression parameter when a file is present in the multipart request. When no file is uploaded, the user-supplied path persists and is passed to pdfcpu's API for PDF composition operations. This architectural inconsistency creates a path traversal primitive exploitable by any unauthenticated HTTP client. The containerized deployment model means filesystem access is constrained to the container boundary, but sensitive PDFs within that boundary (configuration files, cached documents, mounted secrets) remain exposed.

Defensive priority

medium

Recommended defensive actions

Upgrade to Gotenberg 8.32.0 or later to eliminate the vulnerability.
If immediate patching is not feasible, restrict network access to Gotenberg instances to authorized clients only.
Review container filesystem permissions to limit PDF files accessible to the Gotenberg process.
Monitor API access logs for requests to affected routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown) containing stampSource=pdf orwater
resourceLinkAnnotations
resourceLinkAnnotations
resourceLinkAnnotations
resourceLinkAnnotations

Evidence notes

NVD CPE identifies thecodingmachine:gotenberg as the affected vendor-product pair with vulnerable versions prior to 8.32.0. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N confirms network-accessible, low-complexity, unauthenticated read-only impact. GitHub Security Advisory GHSA-3cv5-q585-h563 is tagged as Exploit, Mitigation, and Vendor Advisory. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path) are identified as applicable weaknesses.

Official resources

CVE-2026-42593 CVE record
CVE.org
CVE-2026-42593 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory

2026-05-14T16:16:22.450Z