External risk intelligence

Attacker can take control of Gotenberg servers processing PDFs via unauthenticated commands.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-42589

Gotenberg servers processing PDFs can be fully controlled by attackers through a single unauthenticated request, allowing them to run any command on the server. This critical flaw affects versions prior to 8.31.0 and is easily exploitable over the network.

4Halo Surface Signal

OS Command Injection

Thecodingmachine Gotenberg

before 8.31.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-42589

Gotenberg is an HTTP-based API service designed for document processing. While often used as a backend microservice, it is frequently integrated into internet-facing applications to handle user document uploads, placing its API endpoints in a position where they may be reachable through public-facing web infrastructure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Gotenberg allows for unauthenticated operating system command execution. An attacker can send a specially crafted HTTP request to the /forms/pdfengines/metadata/write endpoint, bypassing security checks and running arbitrary commands on the server. This is a critical issue because it can lead to a complete compromise of the affected system.

  • Remote attackers can execute commands.
  • The attack is transparent to basic monitoring.
  • It affects Gotenberg versions prior to 8.31.0.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can achieve remote code execution by sending a specially crafted JSON payload to the /forms/pdfengines/metadata/write endpoint. This payload leverages the lack of validation on JSON keys, allowing a newline character to inject arbitrary ExifTool commands, including those that execute Perl expressions. The attack is stealthy as it results in a successful HTTP 200 response and a valid PDF.

  • Targetting HTTP metadata endpoint
  • Unauthenticated network access
  • No input validation on keys

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Gotenberg's metadata writing endpoint presents a clear path for unauthenticated remote command execution. Attackers can exploit this by injecting newline characters into JSON keys, which are then passed directly to ExifTool, allowing for arbitrary flag execution. The vulnerability's critical rating and the nature of the exploit—a single HTTP request leading to OS command execution with a seemingly valid PDF response—make it highly attractive.

  • Unauthenticated remote code execution
  • No public exploit code observed
  • Recent published vulnerability

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediately isolating or taking offline any Gotenberg instances running versions prior to 8.31.0, as this critical vulnerability allows unauthenticated remote code execution. The attack is undetectable by basic monitoring due to the valid PDF response.

  • Apply Gotenberg version 8.31.0 or later.
  • Block network traffic to the affected endpoint.
  • Monitor for suspicious command execution.

Frequently asked questions

What is Gotenberg and what is its primary function?

Gotenberg is a Docker-based API designed for processing PDF files, often utilized by developers as a backend service for PDF creation and manipulation within applications.

How does CVE-2026-42589 enable attackers to execute commands?

This vulnerability (CWE-78) allows attackers to inject commands by exploiting the lack of validation on JSON keys in the /forms/pdfengines/metadata/write endpoint. Embedded newline characters split ExifTool arguments, enabling the injection of arbitrary flags like -if, which evaluates Perl expressions.

What specific actions must an attacker perform to exploit this flaw?

An attacker can exploit this vulnerability by sending a specially crafted JSON payload to the /forms/pdfengines/metadata/write HTTP endpoint. This payload includes newline characters in JSON keys, which are then processed by ExifTool, allowing for the execution of arbitrary commands on the server.

What is the relevance of this vulnerability in Gotenberg?

The relevance lies in the unauthenticated remote OS command execution it permits, with a single HTTP request resulting in a valid PDF response, making the attack transparent to basic monitoring. This critical vulnerability affects Gotenberg versions prior to 8.31.0.

What is the recommended remediation for this Gotenberg vulnerability?

The recommended remediation is to immediately upgrade to Gotenberg version 8.31.0 or later. If immediate upgrading is not possible, isolating or taking offline affected instances and monitoring for suspicious command execution are advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified