CVE-2026-35461

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq	Exploit Vendor Advisory
https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:*

History

24 Apr 2026, 15:29

Type	Values Removed	Values Added
CPE		cpe:2.3:a:papra:papra::::::::
First Time		Papra Papra papra
References	~~() https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq -~~	() https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq - Exploit, Vendor Advisory

09 Apr 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq -~~	() https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq -

07 Apr 2026, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 15:17

Updated : 2026-04-24 15:29

NVD link : CVE-2026-35461

Mitre link : CVE-2026-35461

CVE.ORG link : CVE-2026-35461

JSON object : View

Products Affected

papra

papra

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-35461", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-04-07T15:17:44.047", "references": [{"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0."}], "lastModified": "2026-04-24T15:29:00.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D2F10801-36E9-47AD-AD2D-DA4709B67B72", "versionEndExcluding": "26.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}