Skip to main content

Papra EUVDEUVD-2026-19657

| CVE-2026-35462 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-07 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4.0
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2026-19657
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 14:30 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key - regardless of its expiration date - is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0.

AnalysisAI

Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.

Technical ContextAI

Papra is a document management and archiving platform that implements API key-based authentication for programmatic access to protected endpoints. The vulnerability stems from incomplete input validation (CWE-613: Insufficient Session Expiration) where the authentication handler fails to compare the current system time against the expiresAt claim embedded in API key metadata during token validation. Unlike proper JWT or session-based systems that check expiration timestamps server-side during each request, Papra's implementation accepts any syntactically valid key regardless of temporal constraints. This is a common anti-pattern in authentication frameworks where expiration logic is either entirely omitted or conditionally applied only under certain code paths.

RemediationAI

Vendor-released patch: Upgrade to Papra 26.4.0 or later, which implements proper expiresAt timestamp validation during API key authentication. Organizations unable to immediately patch should implement a compensating control at the reverse proxy or API gateway layer by maintaining a separate registry of revoked or expired API keys and rejecting requests containing those credentials before they reach the Papra application. Additionally, review audit logs for API access patterns using keys that should have expired, as continued activity post-expiration may indicate compromise or abuse of this vulnerability. The official security advisory at https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5 should be consulted for version-specific upgrade instructions.

Share

EUVD-2026-19657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy