CVE-2026-35462 Overview
CVE-2026-35462 is an authentication bypass vulnerability in Papra, a minimalistic document management and archiving platform. Prior to version 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid.
Critical Impact
Expired API keys remain functional indefinitely, allowing unauthorized persistent access to protected endpoints and potential data exposure in document management systems.
Affected Products
- Papra versions prior to 26.4.0
- Papra document management and archiving platform (all installations with API key authentication)
Discovery Timeline
- 2026-04-07 - CVE-2026-35462 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35462
Vulnerability Analysis
This vulnerability falls under CWE-613 (Insufficient Session Expiration), where the application fails to properly invalidate authentication credentials after their intended expiration. In Papra's implementation, the API key authentication mechanism accepts the expiresAt field during key creation but never enforces this constraint during subsequent authentication requests.
When a user authenticates with an API key, the system verifies the key's validity (existence and correct value) but completely bypasses the expiration timestamp check. This allows any API key — even one that should have been invalidated months or years ago — to maintain full access to protected endpoints.
The impact is particularly concerning in enterprise document management scenarios where API keys may be issued to contractors, temporary employees, or third-party integrations with specific time-limited access requirements. Organizations relying on key expiration as a security control would have a false sense of security while expired credentials remain active.
Root Cause
The root cause is a missing validation check in the API key authentication flow. When processing incoming API requests, the authentication middleware retrieves the API key record from the database and validates the key value itself, but neglects to compare the expiresAt timestamp against the current server time. This omission allows expired keys to pass authentication checks.
Attack Vector
An attacker who previously had legitimate access to a Papra instance via an API key can continue using that key after its intended expiration date. The attack requires network access to the Papra API endpoints and possession of a previously valid API key. No user interaction is required, and the attacker maintains the same privilege level they had when the key was active.
The vulnerability exploitation is straightforward: an attacker simply continues making API requests with their expired key. Since no expiration validation occurs, the requests are processed normally, granting access to document management features, file retrieval, and any other functionality authorized by the original key permissions.
Detection Methods for CVE-2026-35462
Indicators of Compromise
- API requests authenticated with keys that have expiresAt timestamps in the past
- Successful authentication events from API keys that should have been revoked or expired
- Unusual access patterns from API keys associated with former employees or expired integrations
- Continued API activity from keys issued to time-limited projects or contractors
Detection Strategies
- Audit API key usage logs and correlate with expiration dates stored in the database
- Implement monitoring rules to alert on authentication attempts using keys past their expiresAt date
- Review access logs for API keys that were expected to be inactive based on their configured expiration
- Deploy database queries to identify active sessions or recent activity from expired keys
Monitoring Recommendations
- Enable detailed logging of API authentication events including key identifiers and timestamps
- Implement real-time alerting for authentication attempts with expired credentials
- Schedule periodic audits comparing API key expiration dates against recent usage patterns
- Monitor for anomalous access to sensitive documents from historically inactive API keys
How to Mitigate CVE-2026-35462
Immediate Actions Required
- Upgrade Papra to version 26.4.0 or later immediately
- Audit all existing API keys and revoke any that have passed their intended expiration date
- Review access logs for potential unauthorized access via expired keys
- Regenerate API keys for legitimate users and integrations with appropriate expiration settings
Patch Information
The vulnerability is fixed in Papra version 26.4.0. This update implements proper validation of the expiresAt timestamp during the API key authentication process. Organizations should upgrade immediately and can reference the GitHub Security Advisory for additional details.
Workarounds
- Manually revoke all API keys that have reached their intended expiration date
- Implement a cron job or scheduled task to periodically invalidate expired keys at the database level
- Deploy a reverse proxy or API gateway that performs additional expiration validation before forwarding requests
- Consider temporarily disabling API key authentication and using alternative authentication methods until the patch is applied
# Example: Query to identify expired API keys still in database (adjust for your database)
# Review results and manually revoke expired keys until patch is applied
SELECT id, user_id, created_at, expires_at
FROM api_keys
WHERE expires_at < NOW()
AND revoked_at IS NULL;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
