Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist — CVE-2026-42590

Summary

**Summary** The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m. **Details** The blocklist in `pkg/modules/exiftool/exiftool.go` filters four dangerous pseudo-tags (`FileName`, `Directory`, `HardLink`, `SymLink`) using…

Product

go: github.com/gotenberg/gotenberg/v8

What to do

General, cautious steps (verify details in the official source):

• Prioritize patching or mitigation immediately (treat as actively risky).
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories