Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.
AnalysisAI
Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to register arbitrary webhook endpoints without URL validation, enabling the server to make HTTP POST requests to localhost, internal networks, and cloud metadata endpoints on document events. Attack requires valid user authentication and knowledge of internal network topology but can exfiltrate sensitive data from restricted network segments.
Technical ContextAI
Papra's webhook registration mechanism fails to implement URL validation controls, creating a classic SSRF vulnerability (CWE-918). When authenticated users register webhook URLs, the application does not restrict destinations to external networks or validate that URLs do not target private IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, or cloud metadata services (AWS IMDSv1 at 169.254.169.254). The server then automatically makes outbound POST requests to these registered endpoints whenever document events occur, allowing an attacker to probe internal services, retrieve metadata (such as AWS credentials), or interact with internal APIs that only the server can reach. The vulnerability affects Papra versions prior to 26.4.0 across all platforms (CPE: cpe:2.3:a:papra-hq:papra:*:*:*:*:*:*:*:*), as the webhook validation logic is built into the core application.
RemediationAI
Vendor-released patch: Papra 26.4.0 or later. Organizations should upgrade immediately to version 26.4.0, which implements URL validation to reject webhook registrations targeting private IP ranges, localhost, and cloud metadata endpoints. If immediate upgrade is not feasible, implement network-layer controls by restricting outbound HTTP/HTTPS traffic from the Papra application server to non-public IP ranges and cloud metadata services (particularly 169.254.169.254 for AWS). Additionally, audit existing webhook configurations for any entries pointing to internal services or unusual destinations, and remove malicious or suspicious registrations. Refer to the official GitHub Security Advisory (https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq) for detailed patch notes and post-upgrade verification.
Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to
Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactio
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19655