CVE-2026-40281

CRITICAL

Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-40281. PoCs published by ByteWraith1.

AI-analyzed exploit summary The repository claims to exploit CVE-2026-40281 in Gotenberg PDF API via metadata injection but lacks actual exploit code, instead redirecting users to an external download link (tinyurl).

Description

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.

Exploits (1)

nomisec SUSPICIOUS

by ByteWraith1 · poc

https://github.com/ByteWraith1/CVE-2026-40281

View Code ZIP pw:eip

The repository claims to exploit CVE-2026-40281 in Gotenberg PDF API via metadata injection but lacks actual exploit code, instead redirecting users to an external download link (tinyurl).

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Gotenberg PDF API (versions 8.30.1 and earlier)

No auth needed

Prerequisites: Python 3.8+ · requests library · argparse library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 07, 2026 Full analysis →

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q

X_Refsource_Misc x_refsource_misc

https://github.com/gotenberg/gotenberg/commit/405f1069c026bb08f319fb5a44e5c67c33208318

View Writeup ZIP pw:eip

Scores

CVSS v3 10.0

EPSS 0.0003

EPSS Percentile 7.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-88

Status published

Products (3)

gotenberg/gotenberg 0 - 8.31.0Go

gotenberg/gotenberg <= 8.30.1

thecodingmachine/gotenberg < 8.31.0

Published May 06, 2026

Tracked Since May 07, 2026