CVE-2026-42593

MEDIUM

Gotenberg: Arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes

Title source: cna

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem. This vulnerability is fixed in 8.32.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-3cv5-q585-h563

Scores

CVSS v3 5.3

EPSS 0.0031

EPSS Percentile 22.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22 CWE-73

Status published

Products (3)

gotenberg/gotenberg 0 - 8.31.0Go

gotenberg/gotenberg < 8.32.0

thecodingmachine/gotenberg < 8.32.0

Published May 14, 2026

Tracked Since May 14, 2026