{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40893/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gotenberg/gotenberg/v8"],"_cs_severities":["medium"],"_cs_tags":["exiftool","file-manipulation","cve-2026-40893"],"_cs_type":"advisory","_cs_vendors":["github"],"content_html":"\u003cp\u003eGotenberg, a Docker-based server for document conversion, is susceptible to a critical vulnerability (CVE-2026-40893) that bypasses its intended security measures. Specifically, a blocklist designed to prevent arbitrary file renaming and moving via ExifTool is circumvented by using group-prefixed tag names such as \u003ccode\u003eSystem:FileName\u003c/code\u003e. This vulnerability, affecting Gotenberg version 8.30.1 and earlier, allows unauthenticated attackers to manipulate files within the container by sending crafted HTTP requests. The bypass allows for renaming files, moving files to arbitrary directories, and changing file permissions, potentially leading to service disruption or, in shared-volume deployments, impacting other services utilizing the same volumes. This vulnerability effectively negates the patch provided in GHSA-qmwh-9m9c-h36m.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Gotenberg instance (version 8.30.1 or earlier) exposed via HTTP.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to any Gotenberg endpoint that accepts the \u003ccode\u003emetadata\u003c/code\u003e field, such as \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e, \u003ccode\u003e/forms/chromium/convert/html\u003c/code\u003e, or \u003ccode\u003e/forms/libreoffice/convert\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003efiles\u003c/code\u003e parameter with a PDF file (or any other supported file type).\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003emetadata\u003c/code\u003e parameter, a JSON object containing malicious ExifTool tag names such as \u003ccode\u003eSystem:FileName\u003c/code\u003e and \u003ccode\u003eSystem:Directory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGotenberg\u0026rsquo;s \u003ccode\u003eexiftool.go\u003c/code\u003e validates the tag names against a blocklist but fails to normalize group prefixes, allowing \u003ccode\u003eSystem:FileName\u003c/code\u003e to bypass the check that would block \u003ccode\u003eFileName\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eExifTool receives the \u003ccode\u003eSystem:FileName\u003c/code\u003e and \u003ccode\u003eSystem:Directory\u003c/code\u003e tags and interprets them as \u003ccode\u003eFileName\u003c/code\u003e and \u003ccode\u003eDirectory\u003c/code\u003e, respectively.\u003c/li\u003e\n\u003cli\u003eExifTool renames and moves the uploaded file to the attacker-specified location within the container\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eIf Gotenberg attempts to access the file after it has been moved, the server returns a 404 error, potentially disrupting service for other users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-40893) allows an unauthenticated attacker to manipulate files within the Gotenberg container. This includes the ability to rename files, move them to arbitrary directories, and change their permissions. This can lead to denial-of-service conditions due to missing files, or in scenarios where Gotenberg shares a Docker volume with other services, it allows for planting malicious files in those shared directories. Since no authentication is required by default, any system capable of sending HTTP requests to the Gotenberg instance can exploit this vulnerability, widening the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Gotenberg greater than 8.30.1 to remediate CVE-2026-40893.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Gotenberg ExifTool Tag Blocklist Bypass\u003c/code\u003e to identify exploitation attempts based on the use of \u003ccode\u003eSystem:\u003c/code\u003e prefixed ExifTool tags.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Gotenberg FilePermissions Tag Abuse\u003c/code\u003e to detect abuse of the \u003ccode\u003eFilePermissions\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for POST requests to the affected Gotenberg endpoints (\u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e, \u003ccode\u003e/forms/chromium/convert/html\u003c/code\u003e, \u003ccode\u003e/forms/libreoffice/convert\u003c/code\u003e) containing the string \u003ccode\u003eSystem:FileName\u003c/code\u003e or \u003ccode\u003eFilePermissions\u003c/code\u003e in the request body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T19:21:19Z","date_published":"2026-05-04T19:21:19Z","id":"/briefs/2026-05-gotenberg-exiftool-bypass/","summary":"Gotenberg is vulnerable to an ExifTool tag blocklist bypass, allowing unauthenticated attackers to rename, move, and modify permissions of files within the container by using group-prefixed tag names like 'System:FileName' or the 'FilePermissions' tag in HTTP requests.","title":"Gotenberg ExifTool Tag Blocklist Bypass via Group-Prefixed Tag Names","url":"https://feed.craftedsignal.io/briefs/2026-05-gotenberg-exiftool-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40893","version":"https://jsonfeed.org/version/1.1"}