CVE-2026-35462: CWE-613: Insufficient Session Expiration in papra-hq papra
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0.
AI Analysis
Technical Summary
The vulnerability in papra before version 26.4.0 involves improper validation of API key expiration. Specifically, the system does not check if the current time exceeds the API key's expiresAt date during authentication, allowing expired keys to remain valid indefinitely. This results in insufficient session expiration, categorized under CWE-613. The vulnerability affects all API keys with expiration dates and permits continued access to all protected endpoints. The issue is resolved in papra version 26.4.0.
Potential Impact
An attacker or user possessing an expired API key can continue to access all protected endpoints as if the key were still valid. This undermines the intended access control mechanism based on API key expiration, potentially allowing unauthorized prolonged access. The impact is limited to confidentiality as per the CVSS vector (C:L/I:N/A:N), with no integrity or availability impact reported.
Mitigation Recommendations
Upgrade papra to version 26.4.0 or later, where the vulnerability is fixed by proper validation of API key expiration dates during authentication. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory indicating the fix is included starting with version 26.4.0.
CVE-2026-35462: CWE-613: Insufficient Session Expiration in papra-hq papra
Description
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in papra before version 26.4.0 involves improper validation of API key expiration. Specifically, the system does not check if the current time exceeds the API key's expiresAt date during authentication, allowing expired keys to remain valid indefinitely. This results in insufficient session expiration, categorized under CWE-613. The vulnerability affects all API keys with expiration dates and permits continued access to all protected endpoints. The issue is resolved in papra version 26.4.0.
Potential Impact
An attacker or user possessing an expired API key can continue to access all protected endpoints as if the key were still valid. This undermines the intended access control mechanism based on API key expiration, potentially allowing unauthorized prolonged access. The impact is limited to confidentiality as per the CVSS vector (C:L/I:N/A:N), with no integrity or availability impact reported.
Mitigation Recommendations
Upgrade papra to version 26.4.0 or later, where the vulnerability is fixed by proper validation of API key expiration dates during authentication. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory indicating the fix is included starting with version 26.4.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T19:25:52.193Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d51c3baaed68159a2c14fb
Added to database: 4/7/2026, 3:01:15 PM
Last enriched: 4/7/2026, 3:18:19 PM
Last updated: 4/8/2026, 12:43:05 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.