Executive Summary

This vulnerability exists in the Papra document management and archiving platform versions prior to 26.4.0. The issue is that API keys with an expiration date (expiresAt) are never checked against the current time during authentication. As a result, any API key, even if it has expired, is accepted indefinitely. This means a user with an expired API key can continue accessing all protected endpoints as if the key were still valid.

Technically, the problem lies in the authentication logic where the database query that retrieves API keys does not filter out keys based on their expiration time. The middleware trusts the returned API key without verifying if it has expired. This flaw allows expired API keys to be reused indefinitely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any user or integration with an API key that was intended to expire to retain full access indefinitely. This can impact contractors, third-party integrations, or any compromised keys that administrators tried to expire.

Because expired keys are accepted, unauthorized continued access to protected resources is possible, potentially leading to data exposure or misuse. It violates security best practices by allowing indefinite use of credentials that should have been revoked.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability violates compliance policies that require time-bounded credential rotation and proper session expiration. Regulations such as GDPR and HIPAA mandate strict access controls and timely revocation of credentials to protect sensitive data.

By allowing expired API keys to remain valid indefinitely, the system fails to enforce these controls, potentially leading to non-compliance with standards that require limiting access duration and ensuring that credentials are invalidated after expiration.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether expired API keys are still accepted by the Papra system. Specifically, you can verify if API keys with an expiration date set in the past continue to grant access to protected endpoints.

A suggested approach is to manually set an API key's expiration date to a past timestamp in the database and then attempt to use that key to access the API. If the key is accepted, the vulnerability exists.

• 1. Identify an API key in use.
• 2. Update the `expires_at` field for that API key in the Papra SQLite database to a past date, for example using an SQLite command: `UPDATE api_keys SET expires_at = '2020-01-01T00:00:00Z' WHERE key_hash = '<your_key_hash>';`
• 3. Restart the Papra service to ensure changes take effect.
• 4. Use the expired API key to make an authenticated request to a protected endpoint, for example with curl: `curl -H "Authorization: Bearer <expired_api_key>" https://your-papra-instance/api/protected-endpoint`

If the request returns HTTP 200 and valid data instead of HTTP 401 Unauthorized, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Papra to version 26.4.0 or later, where this vulnerability is fixed.

Until the upgrade can be applied, consider the following temporary measures:

• Revoke and regenerate all API keys to ensure no expired keys remain in use.
• Implement additional access controls or monitoring to detect and block usage of expired API keys.
• Restrict API key issuance and usage to trusted users and integrations only.

Ultimately, applying the official patch in version 26.4.0 is necessary to properly enforce API key expiration.

Useful 0 Not Useful 0