CVE-2026-40893: Gotenberg Allows Arbitrary File Manipulation

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityarbitrary-file-accesscwe-73cwe-184
CVE-2026-40893: Gotenberg Allows Arbitrary File Manipulation

The National Vulnerability Database has detailed CVE-2026-40893, a high-severity vulnerability (CVSS 8.2) impacting Gotenberg, a Docker-powered stateless API for PDF files. This flaw stems from inadequate tag validation; Gotenberg versions prior to 8.31.0 only check for an exact ‘FileName’ tag. This allows attackers to bypass controls by injecting ‘System:FileName’, which the underlying ExifTool utility then processes.

This oversight enables remote attackers to manipulate arbitrary files on the system. Specifically, an attacker can move, rename, and alter permissions for files, leading to significant integrity and availability risks. The vulnerability is categorized under CWE-73 (External Control of File Name or Path) and CWE-184 (Incomplete List of Disallowed Inputs).

Defenders using Gotenberg must prioritize patching to version 8.31.0 or later immediately. This isn’t theoretical — arbitrary file operations are a golden ticket for further compromise, data exfiltration, or denial-of-service. Ignoring this means leaving a wide-open door for an attacker to reconfigure your environment or destroy critical data.

What This Means For You

  • If your organization utilizes Gotenberg for PDF processing, you are directly exposed to CVE-2026-40893. Check your Gotenberg deployment version immediately and patch to 8.31.0 or newer. Failure to do so grants remote attackers the ability to move, rename, and change permissions on arbitrary files within your system.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1560.001 Archive Collected Data: Archive via Utility Collection T1083 File and Directory Discovery Discovery

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-40893: Gotenberg Arbitrary File Manipulation via FileName Tag

Sigma YAML — free preview 
title: CVE-2026-40893: Gotenberg Arbitrary File Manipulation via FileName Tag
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
  This rule detects potential exploitation of CVE-2026-40893 by identifying requests to the Gotenberg '/convert' endpoint that include the 'FileName' query parameter. This parameter is specifically targeted by the vulnerability, allowing attackers to manipulate arbitrary files on the system. The rule looks for POST requests with a 200 status code, indicating a successful, albeit malicious, operation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40893/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/convert'
      cs-uri-query|contains:
          - 'FileName'
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '200'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40893 Path Traversal Gotenberg < 8.31.0
CVE-2026-40893 File Manipulation Gotenberg vulnerable to 'System:FileName' tag bypass
CVE-2026-40893 Arbitrary File Operations Gotenberg allows remote attackers to move, rename, and change permissions for arbitrary files

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Diffusers RCE: Hugging Face Pipeline Loading Bypasses `trust_remote_code`

CVE-2026-44827 — Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when...

vulnerabilityCVEhigh-severityremote-code-executioncwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 1 IOC /⚙ 6 Sigma

CVE-2026-44516: Valtimo Logs Sensitive Data Regardless of Debug Settings

CVE-2026-44516 — Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-44514 — Both The Desktop Deployment (Default Http://Localhost:7500) Vulnerability

CVE-2026-44514 — Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin...

vulnerabilityCVEmedium-severitycwe-1385
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma