CVE-2026-35461 MEDIUM

CVE-2026-35461: Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL

Vendor Papra-Hq
Product papra
Weakness CWE-918 · SSRF
Published April 7, 2026
Last update April 9, 2026
View on NVD All CVEs

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 9, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-29840 Server Side Request Forgery Vulnerability in Western Digital My Cloud Devices CVE-2025-54924 CVE-2025-13096 XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow - CVE-2025-12136 Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4 - Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint CVE-2025-12359 Responsive Lightbox & Gallery <= 2.5.3 - Authenticated (Author+) Server-Side Request Forgery