Gotenberg PDF API Vulnerability CVE-2026-40281 Allows Arbitrary File Overwrite
The National Vulnerability Database has disclosed CVE-2026-40281, a critical vulnerability impacting Gotenberg, a Docker-powered API for PDF manipulation. Versions 8.30.1 and earlier suffer from an inadequate fix for metadata key sanitization. Attackers can inject newline characters into metadata values, effectively splitting ExifTool commands. This allows the injection of arbitrary ExifTool pseudo-tags, enabling malicious actions.
Exploitation of this flaw grants unauthenticated attackers the ability to rename or relocate any PDF file processed by the API to any location within the container’s filesystem. More critically, it permits the overwriting of arbitrary files and the creation of symbolic or hard links at any path. This level of control poses a severe risk to systems running vulnerable Gotenberg instances.
What This Means For You
- If your organization uses Gotenberg for PDF processing, you must immediately patch or update to a non-vulnerable version. Prioritize systems exposed to external networks. Audit file system logs for any suspicious file renames, overwrites, or new link creations, especially those pointing to critical system files or configuration directories.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40281 - Gotenberg PDF API Arbitrary File Overwrite via Metadata Injection
title: CVE-2026-40281 - Gotenberg PDF API Arbitrary File Overwrite via Metadata Injection
id: scw-2026-05-06-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-40281 in Gotenberg. The vulnerability allows arbitrary file overwrite by injecting a newline character (%0A) within the metadataKey parameter of the /convert endpoint. This newline character causes ExifTool to misinterpret the input, enabling the injection of pseudo-tags like -FileName, -Directory, -SymLink, or -HardLink to manipulate files.
author: SCW Feed Engine (AI-generated)
date: 2026-05-06
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-40281/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/convert'
cs-method|contains:
- 'POST'
cs-uri-query|contains:
- 'metadataKey='
cs-uri-query|contains:
- '%0A'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40281 | Vulnerability | CVE-2026-40281 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-41484 — OpenTelemetry.Exporter.OneCollector is a .NET exporter that
CVE-2026-41484 — OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to...
CVE-2026-41483 — OpenTelemetry.Resources.Azure is the .NET resource detector
CVE-2026-41483 — OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure...
CVE-2026-41417 — Netty allows request-line validation to be bypassed when a
CVE-2026-41417 — Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`....