CVE-2026-42589: Unauthenticated RCE in Gotenberg via ExifTool Newline Injection in Metadata Write Endpoint

Unauthenticated server-side request forgery (SSRF) in Gotenberg 8.30.1 and earlier allows remote attackers to force the server to make HTTP requests to internal/loopback addresses by bypassing default deny-lists with IPv4-mapped IPv6 notation (e.g., http://[::ffff:127.0.0.1]:port). The vulnerability affects both the downloadFrom file-fetching feature and the webhook delivery feature. Attackers can read content from internal HTTP endpoints and trigger state-changing requests against services bound to localhost, exposing internal APIs, cloud metadata endpoints, and admin interfaces. Fix available in version 8.32.0. No public exploit code confirmed outside the GitHub advisory PoC, not listed in CISA KEV, but CVSS 9.4 Critical rating reflects the network-accessible, unauthenticated nature and high confidentiality/integrity impact.

Remote attackers can manipulate server filesystem operations in Gotenberg v8 by bypassing ExifTool metadata blocklist using group-prefix syntax (e.g., 'File:FileName' instead of 'FileName'). The vulnerability allows unauthenticated file renaming, moving, symlink/hardlink creation, and permission modification on the server. This directly bypasses the previous fix for GHSA-qmwh-9m9c-h36m. Public exploit code exists with working PoC commands. In non-containerized deployments or those with mounted volumes, attackers can achieve arbitrary file read via symlink chaining and file overwrites. CVSS 8.2 (High) with network vector, low complexity, and no authentication required.

Server-Side Request Forgery in Gotenberg's LibreOffice conversion endpoint allows remote attackers to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Attackers upload specially crafted Office documents (DOCX, XLSX, PPTX) with embedded external URL references that LibreOffice fetches during PDF conversion, completely bypassing the SSRF protections introduced in v8.31.0. Publicly available exploit code exists with detailed proof-of-concept showing three successful HTTP requests to attacker-controlled servers. The vulnerability enables exfiltration of cloud IAM credentials from metadata services (169.254.169.254), internal service enumeration, and network reconnaissance without authentication. CVSS 8.2 with network vector and no privileges required reflects accurate real-world risk given documented exploitation method and lack of vendor-released patch.

Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.

Gotenberg versions 8.31.0 and earlier allow unauthenticated remote attackers to enumerate and read arbitrary files under /tmp/ via the /forms/chromium/convert/url and /forms/chromium/screenshot/url endpoints using file:// scheme URLs. An attacker can discover in-flight conversion request directories and exfiltrate source files (HTML, Markdown, Office documents, staged PDFs) from other users' concurrent conversion requests by timing attacks to coincide with long-running conversion operations. The vulnerability exploits a logic flaw where the URL routes fail to set per-request scope guards that HTML/Markdown routes correctly apply, causing file:// access control enforcement to silently skip for URL-based conversions.

Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.

DNS rebinding vulnerability in Gotenberg allows unauthenticated remote attackers to bypass SSRF protections and access internal services via Chromium URL conversion routes. When a URL is submitted for PDF conversion, Gotenberg validates the resolved IP address against a deny-list but discards the pinned result. Chromium then performs independent DNS resolution multiple times, creating a race condition where an attacker controlling DNS can return a public IP during validation and a private IP during connection, allowing access to loopback services, cloud metadata endpoints, or internal networks. Exploitation succeeds approximately 10% per attempt with trivial automation.