CVE-2026-42589

Source
https://cve.org/CVERecord?id=CVE-2026-42589
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42589.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42589
Aliases
Published
2026-05-14T15:11:30.619Z
Modified
2026-07-08T08:13:29.950624706Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection
Details

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42589.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/gotenberg/gotenberg

Affected ranges

Type
GIT
Repo
https://github.com/gotenberg/gotenberg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.31.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

1.*
1.0.0
2.*
2.0.0
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.2.0
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.4.0
5.*
5.0.0
5.0.1
5.0.2
5.1.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.1.1
6.1.2
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.1.0
v7.1.1
v7.10.0
v7.10.1
v7.2.0
v7.3.0
v7.3.1
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.6.0
v7.6.1
v7.6.2
v7.7.0
v7.7.1
v7.7.2
v7.8.0
v7.8.1
v7.8.2
v7.8.3
v7.9.0
v7.9.1
v7.9.2
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.10.0
v8.11.0
v8.11.1
v8.12.0
v8.13.0
v8.14.0
v8.14.1
v8.15.0
v8.15.1
v8.15.2
v8.15.3
v8.16.0
v8.17.0
v8.17.1
v8.17.2
v8.17.3
v8.18.0
v8.19.0
v8.19.1
v8.2.0
v8.2.1
v8.2.2
v8.20.0
v8.20.1
v8.21.0
v8.21.1
v8.22.0
v8.23.0
v8.23.1
v8.23.2
v8.24.0
v8.25.0
v8.25.1
v8.26.0
v8.27.0
v8.28.0
v8.29.0
v8.29.1
v8.3.0
v8.30.0
v8.30.1
v8.4.0
v8.5.0
v8.5.1
v8.6.0
v8.7.0
v8.8.0
v8.8.1
v8.9.0
v8.9.1
v8.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42589.json"