{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35462", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.193Z", "datePublished": "2026-04-07T14:30:17.479Z", "dateUpdated": "2026-04-07T17:54:02.880Z"}, "containers": {"cna": {"title": "Papra Does Not Reject Expired API Keys", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5"}], "affected": [{"vendor": "papra-hq", "product": "papra", "versions": [{"version": "< 26.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:30:17.479Z"}, "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key \u2014 regardless of its expiration date \u2014 is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0."}], "source": {"advisory": "GHSA-866c-mc22-wvv5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T17:53:54.846310Z", "id": "CVE-2026-35462", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:54:02.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35462", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T17:53:54.846310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:53:58.069Z"}}], "cna": {"title": "Papra Does Not Reject Expired API Keys", "source": {"advisory": "GHSA-866c-mc22-wvv5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "papra-hq", "product": "papra", "versions": [{"status": "affected", "version": "< 26.4.0"}]}], "references": [{"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5", "name": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key \u2014 regardless of its expiration date \u2014 is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:30:17.479Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35462", "state": "PUBLISHED", "dateUpdated": "2026-04-07T17:54:02.880Z", "dateReserved": "2026-04-02T19:25:52.193Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T14:30:17.479Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2F10801-36E9-47AD-AD2D-DA4709B67B72", "versionEndExcluding": "26.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key \u2014 regardless of its expiration date \u2014 is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0."}], "id": "CVE-2026-35462", "lastModified": "2026-04-24T15:22:51.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T15:17:44.197", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "papra", "source": "cna", "vendor": "papra-hq"}, "product": "papra", "vendor": "papra-hq"}], "analysis": {"en": {"generated_at": "2026-04-07T20:20:40.225363+00:00", "value": {"mitigation_remediation": ["Upgrade Papra to version 26.4.0 or later, which enforces proper expiration checking.", "Revoke all existing API keys, especially those that have expired, and issue new keys.", "Audit the key database to confirm no expired keys remain active after the patch.", "If upgrading immediately is not possible, temporarily disable expired keys and monitor API usage for suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access via Expired API Key"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Papra releases before version 26.4.0. Users running versions earlier than 26.4.0 may find that any API key they have issued remains usable even after its expiresAt value has passed. The product is papra\u2011hq:papra, and the fix was implemented in the 26.4.0 release.", "description_and_impact": "Papra, a minimalistic document management platform, has a flaw where API keys with an expiration timestamp are never checked against the current time during authentication. As a result, any key\u2014regardless of whether it has expired\u2014continues to be accepted indefinitely. This weakness allows a holder of an expired key to access protected endpoints as if the key were still valid, effectively granting unauthorized access. The issue represents a failure to perform authentication with a time\u2011based constraint, classified as CWE\u2011613.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium severity vulnerability. The EPSS score is not available, and the flaw is not listed in the KEV catalog, suggesting limited observed exploitation to date. Based on the description, it is inferred that the attack vector is remote and depends on an attacker\u2019s possession of an API key, which could be obtained via phishing, credential theft, or accidental sharing. Because the key is accepted without expiration validation, an attacker could reuse it indefinitely, creating a persistent risk until a patch is applied. Overall, the risk remains moderate, but continuous unauthorized access could occur if the issue is not addressed promptly."}}}}, "created": "2026-04-08T19:37:28.913321+00:00", "updated": "2026-04-08T19:48:48.170802+00:00", "vendors": ["papra-hq", "papra-hq$PRODUCT$papra"]}