Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key - regardless of its expiration date - is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0.
AnalysisAI
Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.
Technical ContextAI
Papra is a document management and archiving platform that implements API key-based authentication for programmatic access to protected endpoints. The vulnerability stems from incomplete input validation (CWE-613: Insufficient Session Expiration) where the authentication handler fails to compare the current system time against the expiresAt claim embedded in API key metadata during token validation. Unlike proper JWT or session-based systems that check expiration timestamps server-side during each request, Papra's implementation accepts any syntactically valid key regardless of temporal constraints. This is a common anti-pattern in authentication frameworks where expiration logic is either entirely omitted or conditionally applied only under certain code paths.
RemediationAI
Vendor-released patch: Upgrade to Papra 26.4.0 or later, which implements proper expiresAt timestamp validation during API key authentication. Organizations unable to immediately patch should implement a compensating control at the reverse proxy or API gateway layer by maintaining a separate registry of revoked or expired API keys and rejecting requests containing those credentials before they reach the Papra application. Additionally, review audit logs for API access patterns using keys that should have expired, as continued activity post-expiration may indicate compromise or abuse of this vulnerability. The official security advisory at https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5 should be consulted for version-specific upgrade instructions.
Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to r
Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactio
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19657