Skip to main content

Papra CVE-2026-35461

| EUVDEUVD-2026-19655 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-07 GitHub_M
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4.0
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2026-19655
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 14:28 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.

AnalysisAI

Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to register arbitrary webhook endpoints without URL validation, enabling the server to make HTTP POST requests to localhost, internal networks, and cloud metadata endpoints on document events. Attack requires valid user authentication and knowledge of internal network topology but can exfiltrate sensitive data from restricted network segments.

Technical ContextAI

Papra's webhook registration mechanism fails to implement URL validation controls, creating a classic SSRF vulnerability (CWE-918). When authenticated users register webhook URLs, the application does not restrict destinations to external networks or validate that URLs do not target private IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, or cloud metadata services (AWS IMDSv1 at 169.254.169.254). The server then automatically makes outbound POST requests to these registered endpoints whenever document events occur, allowing an attacker to probe internal services, retrieve metadata (such as AWS credentials), or interact with internal APIs that only the server can reach. The vulnerability affects Papra versions prior to 26.4.0 across all platforms (CPE: cpe:2.3:a:papra-hq:papra:*:*:*:*:*:*:*:*), as the webhook validation logic is built into the core application.

RemediationAI

Vendor-released patch: Papra 26.4.0 or later. Organizations should upgrade immediately to version 26.4.0, which implements URL validation to reject webhook registrations targeting private IP ranges, localhost, and cloud metadata endpoints. If immediate upgrade is not feasible, implement network-layer controls by restricting outbound HTTP/HTTPS traffic from the Papra application server to non-public IP ranges and cloud metadata services (particularly 169.254.169.254 for AWS). Additionally, audit existing webhook configurations for any entries pointing to internal services or unusual destinations, and remove malicious or suspicious registrations. Refer to the official GitHub Security Advisory (https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq) for detailed patch notes and post-upgrade verification.

Share

CVE-2026-35461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy