Incomplete List of Disallowed Inputs in gotenberg - CVE-2026-42590
Published: May 5, 2026
gotenberg
Detailed vulnerability description
The vulnerability allows a remote attacker to modify files on the server.
The vulnerability exists due to incomplete list of disallowed inputs in pkg/modules/exiftool/exiftool.go when processing metadata write requests. A remote attacker can send specially crafted metadata keys using ExifTool group-prefix syntax to modify files on the server.
In deployments with mounted volumes or non-containerized setups, exploitation may enable arbitrary file read via symlink chaining and file overwrite via directory manipulation.