CVE-2026-42593 in Gotenberg
Summary
by MITRE • 05/14/2026
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem. This vulnerability is fixed in 8.32.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/15/2026
This vulnerability exists in Gotenberg versions prior to 8.32.0 and represents a critical path traversal and arbitrary file read flaw that allows unauthenticated attackers to access any PDF file accessible to the Gotenberg container process. The vulnerability specifically affects six distinct routes within the application's PDF processing capabilities including pdfengines/merge, pdfengines/split, libreoffice/convert, and various chromium conversion endpoints. These routes accept user-supplied paths through stampExpression and watermarkExpression parameters when combined with pdf as the source type, creating a dangerous condition where attacker-controlled paths can be directly processed by the underlying pdfcpu library without proper validation or sanitization.
The technical flaw stems from improper input validation and sanitization within the application's file handling logic. When stampSource or watermarkSource parameters are set to pdf type, the system expects either an uploaded file or a path reference. However, the implementation fails to properly validate or sanitize the path parameter when no file is uploaded, leaving the user-controlled path intact and executable. This creates a directory traversal scenario where the pdfcpu library opens and processes the attacker-controlled path directly, bypassing normal file access controls and permissions. The vulnerability is particularly dangerous because it allows attackers to read any PDF file that the Gotenberg process has access to within the container's filesystem, potentially exposing sensitive documents or system information.
The operational impact of this vulnerability is severe as it enables attackers to bypass authentication mechanisms entirely and access arbitrary PDF files within the container's filesystem. This affects any PDF files that the Gotenberg process can read, including potentially sensitive documents, configuration files, or system resources. The vulnerability is particularly concerning in containerized environments where the Gotenberg process might have access to broader filesystem resources than intended, and the attack surface extends to any PDF files that the container's user context can access. This represents a privilege escalation vulnerability that allows anonymous attackers to perform unauthorized file access and read operations that should normally be restricted.
The vulnerability aligns with CWE-22 (Path Traversal) and CWE-73 (External Control of File Name or Path) categories, and maps to ATT&CK technique T1074.001 (Data Staged) and T1566.001 (Phishing via Social Engineering) as attackers could use this to access sensitive documents and potentially craft more sophisticated social engineering attacks. Organizations using Gotenberg versions prior to 8.32.0 should immediately implement mitigations including upgrading to the patched version, implementing proper input validation and sanitization for all file path parameters, restricting file access permissions for the Gotenberg process, and monitoring for unauthorized file access attempts. Network segmentation and container runtime security controls should also be implemented to limit the potential impact of such vulnerabilities in compromised environments.
The fix implemented in version 8.32.0 addresses this vulnerability by properly validating and sanitizing file path parameters before processing, ensuring that user-controlled paths cannot directly influence the pdfcpu library's file operations. This update enforces proper input validation and prevents the bypass of file access controls that previously allowed arbitrary PDF file reading. Organizations should also consider implementing additional security controls such as file access logging, parameter validation, and regular security assessments to prevent similar vulnerabilities in other applications processing user-supplied file paths.