Remote Code Execution Vulnerability in Gotenberg by Floki Framework
CVE-2026-42593

5.3MEDIUM

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42593?

The Gotenberg PDF API, utilized for document processing within Docker environments, has a security flaw that allows attackers to leverage anonymous access to execute arbitrary code. Prior to version 8.32.0, specific endpoints for merging and converting PDF files failed to adequately validate user-supplied paths, leading to potential exposure of sensitive documents. Attackers could exploit this gap to read any accessible PDF files within the container's filesystem, thereby compromising data security. This critical issue has been addressed in the latest release, ensuring that user-uploaded documents are properly validated and secured against unwanted access.

Affected Version(s)

gotenberg < 8.32.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42593 Data

JSON