Cyber Resilience

CVE-2026-42589

CriticalPublic PoCRCE

Published: 14 May 2026

Published
14 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0295 85.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42589 is a critical-severity OS Command Injection (CWE-78) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

Gotenberg is a Docker-powered stateless API for converting and manipulating PDF files. Prior to version 8.31.0, its /forms/pdfengines/metadata/write endpoint accepts an arbitrary JSON metadata object and passes its keys directly to ExifTool through the go-exiftool library without sanitizing key characters. A newline embedded in a JSON key splits the ExifTool input stream, enabling injection of arbitrary command-line flags such as -if that evaluate Perl expressions and ultimately execute operating-system commands.

An unauthenticated remote attacker can exploit the flaw with a single HTTP POST request containing a crafted JSON payload. Because the endpoint returns HTTP 200 and a valid PDF, the command execution occurs without triggering obvious error responses or requiring authentication, session state, or user interaction. Successful exploitation yields full control over the underlying container with the privileges of the Gotenberg process.

The official Gotenberg security advisory GHSA-rqgh-gxv4-6657 states that the issue is resolved in release 8.31.0. Administrators are advised to upgrade immediately; no work-arounds are documented in the advisory.

The EPSS score remains flat at 0.0877 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A…

more

\n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via command injection on a public-facing HTTP API endpoint (CWE-78).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42591Same product: Thecodingmachine Gotenberg
CVE-2026-42596Same product: Thecodingmachine Gotenberg
CVE-2026-27018Same product: Thecodingmachine Gotenberg
CVE-2026-42595Same product: Thecodingmachine Gotenberg
CVE-2026-40281Same product: Thecodingmachine Gotenberg
CVE-2026-40893Same product: Thecodingmachine Gotenberg
CVE-2026-42590Same product: Thecodingmachine Gotenberg
CVE-2026-35458Same product: Thecodingmachine Gotenberg
CVE-2026-42594Same product: Thecodingmachine Gotenberg
CVE-2025-43984Shared CWE-78

Affected Assets

thecodingmachine
gotenberg
≤ 8.31.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects or sanitizes untrusted JSON keys containing newlines before they reach go-exiftool/ExifTool, directly blocking the argument-injection vector used for RCE.

prevent

Enforces authentication and authorization on the /forms/pdfengines/metadata/write endpoint so that unauthenticated attackers cannot submit the malicious payload.

prevent

Disables or restricts the metadata-write endpoint and ExifTool flag-passing behavior unless explicitly required, reducing the attack surface that enables flag injection.

References