## Gotenberg PDF API Flaw Allows File System Manipulation via ExifTool Blocklist Bypass (CVE-2026-42590)
A critical security vulnerability in Gotenberg, a widely-used Docker-powered stateless API for PDF file processing, allows attackers to bypass the ExifTool metadata write blocklist and perform arbitrary file operations on the host system. The flaw, tracked as CVE-2026-42590 with a CVSS score of 8.2, exploits ExifTool's group-prefix syntax to circumvent intended restrictions in versions prior to 8.30.0. Successful exploitation grants attackers the ability to rename, move, create hardlinks, and create symlinks to files outside the expected processing scope.

The vulnerability targets the core security mechanism designed to prevent malicious metadata manipulation during PDF processing. Gotenberg relies on ExifTool to handle metadata extraction and sanitization, but the blocklist implementation fails to account for ExifTool's advanced parsing capabilities. This oversight allows specially crafted input to bypass content restrictions, potentially exposing sensitive host system files or enabling privilege escalation in containerized environments.

The 8.2 severity rating reflects significant risk, particularly for deployments processing untrusted PDF submissions. Organizations running self-hosted Gotenberg instances on versions before 8.30.0 face exposure if their services are accessible to untrusted users or if container isolation is compromised. Immediate upgrade to version 8.30.0 is the recommended remediation path. For systems unable to patch immediately, network-level restrictions and strict access controls on the API endpoints offer interim protection until the update can be applied.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Lab
- **Tags**: CVE-2026-42590, ExifTool, bypass, PDF, API
- **Credibility**: unverified
- **Published**: 2026-05-14 17:18:35
- **ID**: 83108
- **URL**: https://whisperx.ai/en/intel/83108