| Title | Papra HQ Papra 0.5.0 Improper Authentication |
|---|
| Description | The Papra application contains a broken authentication vulnerability where API key expiration is not enforced during the authentication process. Although API keys include an expiresAt field intended to limit their validity, the system retrieves keys based solely on their hash and does not verify whether the key has expired, either in the database query or within the authentication middleware. As a result, expired API keys remain valid indefinitely and can continue to be used for authenticated requests, allowing persistent unauthorized access and undermining credential lifecycle security controls. |
|---|
| Source | ⚠️ https://github.com/lakshayyverma/CVE-Discovery/blob/main/Para2.md |
|---|
| User | lakshay12311 (UID 91298) |
|---|
| Submission | 03/27/2026 11:28 (28 days ago) |
|---|
| Moderation | 04/19/2026 07:25 (23 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 355798 [papra-hq papra up to 26.3.x session expiration] |
|---|
| Points | 0 |
|---|