CVE-2026-35461
MEDIUMPapra <26.4.0 Webhook URL - Blind Server-Side Request Forgery
Title source: manualDescription
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq
Scores
CVSS v3
5.0
EPSS
0.0021
EPSS Percentile
11.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
papra-hq/papra
< 26.4.0
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026