Gotenberg unauth file overwrite (CVE-2026-40281)

Patch now - CVE-2026-40281 is a critical unauthenticated file manipulation vulnerability in Gotenberg 8.30.1 and earlier that lets attackers overwrite arbitrary files, rename PDFs, or create symlinks/hard links in the container filesystem. Patched in version 8.31.0 - update immediately.

Overview

Gotenberg is a Docker-powered stateless API for generating and converting PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. An attacker can inject a newline character into a metadata value, splitting the ExifTool stdin line into two separate arguments. This bypasses the incomplete key-sanitization fix introduced in v8.30.1.

The injection allows arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.

This vulnerability has a CVSS score of 10.0 (CRITICAL) due to its network attack vector, low attack complexity, no required privileges, and no user interaction needed.

Impact

The impact is severe for any system running Gotenberg 8.30.1 or earlier:

• Arbitrary file overwrite on the container filesystem
• PDF file rename/move to attacker-controlled paths
• Creation of symlinks and hard links at arbitrary locations
• Full compromise of container integrity

Attackers can chain this vulnerability with other flaws to achieve container escape or lateral movement. The unauthenticated nature of the exploit means any attacker with network access to the Gotenberg API can execute these attacks.

Remediation

Update Gotenberg to version 8.31.0 immediately. This version fully sanitizes both metadata keys and values before passing them to ExifTool, preventing the injection attack.

If immediate patching is not possible, restrict network access to the Gotenberg API endpoint to trusted IPs only. Use a web application firewall (WAF) to block requests with newline characters in metadata value fields. Review container security configurations and ensure the principle of least privilege is applied to the Gotenberg container.

Security Insight

This vulnerability follows a troubling pattern in which security patches are applied incompletely. The v8.30.1 fix that sanitized only metadata keys while leaving values exposed is a classic “fix the symptom, not the cause” error. Gotenberg’s reliance on ExifTool as a subprocess with unsanitized input is a fundamental design weakness. Vendors should adopt input validation frameworks that treat all input fields uniformly rather than patching fields one at a time. For ongoing coverage of similar container security issues, visit security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs