Share
## https://sploitus.com/exploit?id=EEAC1C04-DDF1-5C0D-BDA0-7EC31B0B8984
# POC_CVE-2026-42589

Local reproduction lab and nuclei template draft for `CVE-2026-42589` affecting Gotenberg.

## Summary

`CVE-2026-42589` is an unauthenticated remote code execution issue in Gotenberg caused by metadata key newline injection in:

```text
POST /forms/pdfengines/metadata/write
```

Affected Gotenberg forwards user-controlled metadata keys to ExifTool without rejecting control characters. A metadata key containing JSON-escaped newlines may be split into additional ExifTool arguments.

This lab was used to validate:

- vulnerable behavior on `gotenberg/gotenberg:8.29.1`
- patched behavior on `gotenberg/gotenberg:8.31.0`

The nuclei template uses only a non-destructive `sleep 6` timing check.

## References

- GitHub Advisory: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657
- Fixed release: https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0
- ExifTool docs: https://exiftool.org/exiftool_pod.html

## Files

- `docker-compose.yml`
- `docker-compose.latest.yml`
- `CVE-2026-42589.yaml`
- `README.md`

## Vulnerable Test

Start Gotenberg `8.29.1`:

```bash
docker compose down -v
docker compose up -d
docker compose logs --tail=100 gotenberg
```

Check the version:

```bash
curl -s http://127.0.0.1:3000/version
```

## Patched-Version Control

Start Gotenberg `8.31.0`:

```bash
docker compose -f docker-compose.latest.yml down -v
docker compose -f docker-compose.latest.yml up -d
docker compose -f docker-compose.latest.yml logs --tail=100 gotenberg
```

Check the version:

```bash
curl -s http://127.0.0.1:3000/version
```

## Nuclei

Validate the template:

```bash
nuclei -duc -validate -t CVE-2026-42589.yaml
```

Run against the vulnerable target:

```bash
nuclei -duc -u http://127.0.0.1:3000 -t CVE-2026-42589.yaml
```

Expected behavior:

- `8.29.1`: match after the delayed `500` response
- `8.31.0`: no match

Observed vulnerable result:

```text
[CVE-2026-42589] [http] [critical] http://127.0.0.1:3000/forms/pdfengines/metadata/write
[INF] Scan completed in 6.245907708s. 1 matches found.
```

Observed patched-version result:

```text
[INF] Scan completed in 109.346792ms. No results found.
```

## Notes

- This lab intentionally avoids file writes, reverse shells, and out-of-band callbacks.
- The template detects behavior, not only a version banner.
- No real-world targets were used.
- Use only on systems you own or are explicitly authorized to test.