Maximum Severity Flaw: How a Newline Character Shattered Gotenberg’s PDF Security
Ddos 
Thousands of companies rely on Gotenberg, the Docker-based API for document-to-PDF conversion, to handle production workloads. However, recent security disclosures have unveiled a series of critical flawsβincluding a rare CVSS 10βthat allow unauthenticated attackers to seize full control of Gotenberg instances with a single HTTP request.
The vulnerabilities range from devastating remote code execution (RCE) to sophisticated Server-Side Request Forgery (SSRF) bypasses.
The most severe discovery is CVE-2026-40281, which achieved a maximum severity score of 10/10. This flaw exists because of an incomplete fix in version 8.30.1 that sanitized metadata keys but left metadata values untouched.
By embedding a newline character (\n) into a metadata value, an attacker can split the input stream sent to the underlying ExifTool. This allows the injection of dangerous pseudo-tags that can:
- Rename or move files anywhere within the container filesystem.
- Overwrite critical system files, such as /etc/passwd, by moving a PDF into their path.
- Establish persistence by creating hard links or symlinks to internal data.
Closely following the CVSS 10 is CVE-2026-42589 (CVSS 9.8). This vulnerability targets the metadata write endpoint, which fails to validate JSON key characters. Attackers can inject a newline into a key to pass arbitrary Perl expressions to ExifTool’s -if flag.
The result is full, unauthenticated OS command execution. Because the server still returns a valid PDF with an HTTP 200 status code, the attack is “transparent to basic monitoring,” allowing an actor to read files or establish reverse shells without triggering standard alerts.
Two additional vulnerabilities, CVE-2026-40280 (CVSS 9.3) and CVE-2026-42596 (CVSS 9.4), reveal that Gotenbergβs default SSRF protections are fundamentally bypassable.
- The Case-Sensitivity Flaw: The default deny-lists used a case-sensitive regex. By simply changing the URL scheme to uppercase (e.g., HTTP:// instead of http://), attackers can bypass the filter.
- Internal Access: Unauthenticated attackers can use these bypasses to reach internal network services, private IP ranges, or cloud metadata endpoints (like 169.254.169.254) that the software was configured to protect.
The security research team emphasizes that any deployment exposing Gotenberg’s port 3000 without an authenticating proxy is at extreme risk.
All four vulnerabilities are addressed in Gotenberg version 8.32.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
