CRITICAL: CVE-2026-40281 (CVSS 10) — multiple products
CVE: CVE-2026-40281
CVSS: 10 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Severity: CRITICAL
Status: Critical advisory
Affected
_See vendor advisory_
Summary
Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.
Verified Sources
References
- https://github.com/gotenberg/gotenberg/commit/405f1069c026bb08f319fb5a44e5c67c33208318
- https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q
_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._
Lyrie Verdict
A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.
Validated sources
- [1]NVD
- [2]GitHub Advisory
- [3]MITRE