External risk intelligence

Gotenberg allows attackers to rename or overwrite files on your server.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40281

Gotenberg versions prior to 8.31.0 have a critical flaw allowing unauthenticated attackers to rename, move, or overwrite files processed by the service, potentially impacting sensitive data.

4Halo Surface Signal

Thecodingmachine Gotenberg

before 8.31.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-40281

Gotenberg is a stateless PDF processing API designed to handle and process user-supplied document metadata. As a specialized API service used for document generation and conversion, it is frequently deployed in internet-facing configurations where it directly receives external requests to process untrusted PDF uploads.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Gotenberg allows an unauthenticated attacker to manipulate files on the server. By sending specially crafted metadata, an attacker can trick the system into renaming, moving, or overwriting any PDF file. This could lead to significant disruption and data integrity issues.

Attacker can overwrite critical files.
Attacker can move files to any location.
Can impact any PDF being processed.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit Gotenberg's metadata write endpoint by inserting a newline character into a metadata value. This bypasses input sanitization, allowing the attacker to inject malicious ExifTool commands to manipulate files within the container. They can rename or move PDFs to arbitrary locations, overwrite existing files, or create symbolic and hard links.

Targets metadata write endpoint.
Unauthenticated network access needed.
Exploits unsanitized metadata values.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Gotenberg allows unauthenticated attackers to manipulate PDF metadata, potentially renaming files, moving them to arbitrary locations, overwriting files, or creating symbolic and hard links. The exploit bypasses a previous fix, indicating a persistent issue that attackers might find appealing due to the broad impact on file system operations.

Exploitation of unpatched Gotenberg is probable.
Public exploit code is not yet confirmed.
The vulnerability impacts file operations within the container.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize blocking or isolating Gotenberg instances due to critical, exploitable vulnerabilities. The vulnerability allows unauthenticated attackers to rename, move, or overwrite files within the container filesystem by injecting arbitrary ExifTool pseudo-tags.

Isolate or take affected Gotenberg services offline.
Block network traffic to vulnerable instances.
Upgrade Gotenberg to version 8.31.0 or later.

Frequently asked questions

What is Gotenberg and its primary function in PDF processing?

Gotenberg is a Docker-based API service that functions as a stateless service for processing PDF files. Developers utilize it to programmatically generate, manipulate, and convert PDF documents within their applications.

How does CVE-2026-40281 enable attackers to manipulate files via metadata?

This vulnerability, identified as CWE-88 (Argument Injection), permits attackers to insert commands into PDF metadata values. A newline character within metadata unsafely divides commands, empowering attackers to execute arbitrary ExifTool operations to rename, relocate, or overwrite files.

What specific weakness allows for argument injection in Gotenberg?

The metadata write endpoint in Gotenberg versions prior to 8.31.0 fails to sanitize metadata values for control characters, specifically allowing a newline character. This newline character splits ExifTool stdin, enabling the injection of arbitrary pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink.

What is the impact of CVE-2026-40281 on file integrity and system operations?

An unauthenticated attacker can exploit this flaw to rename or move any PDF being processed to any location within the container's filesystem, overwrite arbitrary files, or create symbolic and hard links at specified paths, posing a significant risk to data integrity and system operations.

What immediate actions should be taken to mitigate risks associated with this vulnerability?

It is recommended to isolate or take affected Gotenberg instances offline and block network traffic to vulnerable services. Upgrading Gotenberg to version 8.31.0 or later is the definitive remediation step to address this critical vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.