CVE-2026-40893: Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move

May 4, 2026

Gotenberg blocks certain ExifTool tag names like FileName and Directory to stop attackers from renaming or moving files on the server. But ExifTool allows a longer form of the same tag — System:FileName — which does the exact same thing. Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. No login is needed. One HTTP request is enough.

References

github.com/advisories/GHSA-62p3-hvxx-fxg4
github.com/gotenberg/gotenberg
github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4
nvd.nist.gov/vuln/detail/CVE-2026-40893

Code Behaviors & Features

Detect and mitigate CVE-2026-40893 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →