{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35461", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.193Z", "datePublished": "2026-04-07T14:28:42.063Z", "dateUpdated": "2026-04-09T14:41:13.998Z"}, "containers": {"cna": {"title": "Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq"}], "affected": [{"vendor": "papra-hq", "product": "papra", "versions": [{"version": "< 26.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:28:42.063Z"}, "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0."}], "source": {"advisory": "GHSA-cjw7-qg95-58mq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:41:10.311428Z", "id": "CVE-2026-35461", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:41:13.998Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35461", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:41:10.311428Z"}}}], "references": [{"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:41:04.916Z"}}], "cna": {"title": "Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL", "source": {"advisory": "GHSA-cjw7-qg95-58mq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "papra-hq", "product": "papra", "versions": [{"status": "affected", "version": "< 26.4.0"}]}], "references": [{"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "name": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:28:42.063Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35461", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:41:13.998Z", "dateReserved": "2026-04-02T19:25:52.193Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T14:28:42.063Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2F10801-36E9-47AD-AD2D-DA4709B67B72", "versionEndExcluding": "26.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0."}], "id": "CVE-2026-35461", "lastModified": "2026-04-24T15:29:00.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T15:17:44.047", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "papra", "source": "cna", "vendor": "papra-hq"}, "product": "papra", "vendor": "papra-hq"}], "analysis": {"en": {"generated_at": "2026-04-07T19:52:51.476291+00:00", "value": {"mitigation_remediation": ["Upgrade Papra to version 26.4.0 or later to remove the unvalidated webhook registration flaw.", "If an upgrade is not immediately possible, restrict the webhook URL field to a whitelist of approved domains or enforce input validation to block localhost and private IP ranges.", "As a temporary measure, disable user registration of new webhooks or limit functionality to trusted administrative accounts until a fix is applied."], "summary": {"action": "Patch Immediately", "impact": "Blind Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is Papra, a document management and archiving platform. The vulnerability exists in all releases prior to 26.4.0.", "description_and_impact": "Papra\u2019s webhook system, before version 26.4.0, allows authenticated users to register any URL as a webhook without validating the destination. When a document event occurs, the server automatically posts to those URLs, which can include internal network ranges, localhost, or cloud metadata services. The vulnerability is performed in a blind fashion: the attacker cannot see the response from the target, but can cause the server to reach internal or metadata endpoints, potentially exposing privileged information or enabling further exploitation. The weakness is identified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score is 5, indicating moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, implying no known public exploits at this time. The attack vector requires an authenticated user to register a webhook, after which the server performs outbound POST requests. Once a malicious webhook URL has been registered, any subsequent document event will trigger an outbound request to the attacker\u2011controlled endpoint, allowing the attacker to probe internal resources or access cloud metadata. The risk to confidentiality and availability depends on the internal environment accessed through the blind SSRF."}}}}, "created": "2026-04-08T19:37:29.902453+00:00", "updated": "2026-04-08T19:48:49.196133+00:00", "vendors": ["papra-hq", "papra-hq$PRODUCT$papra"]}