PT-2026-30855 · Papra · Papra
Toothless5143
·
Published
2026-04-07
·
Updated
2026-04-07
·
CVE-2026-35462
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Papra versions prior to 26.4.0
Description
Papra is a document management and archiving platform. Before version 26.4.0, API keys with an expiration date (
expiresAt) were not checked against the current time during authentication. This allowed users with expired API keys to continue accessing protected endpoints as if the key were still valid.Recommendations
Update to version 26.4.0 or later.
Exploit
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Papra