CVE-2026-42589: Gotenberg RCE via ExifTool Argument Injection
A critical vulnerability, CVE-2026-42589, has been identified in Gotenberg, a Docker-powered stateless API for PDF files. The National Vulnerability Database reports that versions prior to 8.31.0 are susceptible to unauthenticated OS command execution. The issue stems from the /forms/pdfengines/metadata/write HTTP endpoint, which directly passes JSON metadata keys to ExifTool via the go-exiftool library without proper validation.
Attackers can inject arbitrary ExifTool flags, including the -if flag for Perl expression evaluation, by embedding a newline character (\n) within a JSON key. This manipulation splits the ExifTool stdin stream, allowing for command injection. The National Vulnerability Database highlights that this can lead to unauthenticated OS command execution in a single HTTP request, with a standard HTTP 200 response and valid PDF, making detection challenging for basic monitoring.
With a CVSS score of 9.8 (Critical) and classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), this vulnerability presents a severe risk. Defenders must recognize that the attacker’s calculus here is straightforward: a single, unauthenticated HTTP request yields full system compromise. The stealthy nature of the attack response means organizations cannot rely on HTTP status codes to detect exploitation.
What This Means For You
- If your organization uses Gotenberg, specifically versions prior to 8.31.0, you are exposed to unauthenticated remote code execution. This is a critical vulnerability that attackers will actively target. Immediately patch to version 8.31.0 or later. After patching, audit your Gotenberg logs for any suspicious metadata write requests, especially those with unusual characters or patterns in JSON keys, going back as far as your logs permit.
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42589 | RCE | Gotenberg < 8.31.0 |
| CVE-2026-42589 | RCE | Gotenberg /forms/pdfengines/metadata/write HTTP endpoint |
| CVE-2026-42589 | Command Injection | ExifTool argument injection via JSON metadata keys with \n |
| CVE-2026-42589 | Command Injection | ExifTool -if flag for Perl expression evaluation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Diffusers RCE: Hugging Face Pipeline Loading Bypasses `trust_remote_code`
CVE-2026-44827 — Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when...
CVE-2026-44516: Valtimo Logs Sensitive Data Regardless of Debug Settings
CVE-2026-44516 — Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all...
CVE-2026-44514 — Both The Desktop Deployment (Default Http://Localhost:7500) Vulnerability
CVE-2026-44514 — Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin...