File Manipulation Vulnerability in Gotenberg by Gotenberg Team
CVE-2026-40893

8.2HIGH

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-40893?

Gotenberg, a Docker-based API for managing PDF files, is susceptible to a file manipulation vulnerability in versions prior to 8.31.0. In this instance, the system only checks for an exact match of the tag 'FileName', which allows the use of 'System:FileName' as a bypass. As a result, remote attackers can exploit this oversight to move, rename, and alter permissions on arbitrary files within the server environment, posing significant security risks. The issue has been addressed in version 8.31.0, and users are encouraged to update their installations promptly.

Affected Version(s)

gotenberg < 8.31.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40893 Data

JSON