Papermark CORS Misconfiguration Allows File Upload Attacks

Executive Summary

CVE-2026-57957 is a cross-origin resource sharing (CORS) misconfiguration vulnerability in Papermark through version 0.22.0. It occurs in the TUS-based viewer upload endpoint, where the server reflects arbitrary request Origins in the Access-Control-Allow-Origin header while setting Access-Control-Allow-Credentials to true. This misconfiguration allows unauthenticated remote attackers to perform credentialed cross-origin requests.

Attackers can lure authenticated users to malicious web pages that silently issue credentialed cross-origin requests. These requests can upload arbitrary files into the victim's datarooms and read credentialed responses, effectively allowing unauthorized file injection and data access within the victim's session.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to upload arbitrary files into your datarooms without your knowledge or consent if you are an authenticated user. The attacker can exploit your active session by tricking you into visiting a malicious page that performs unauthorized actions on your behalf.

Such unauthorized file uploads can lead to injection of malicious content, potential data corruption, or unauthorized data exposure. Attackers can also read sensitive responses tied to your credentials, compromising confidentiality and integrity of your data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a CORS misconfiguration in the Papermark viewer upload endpoint that reflects arbitrary Origin headers with Access-Control-Allow-Credentials set to true, allowing credentialed cross-origin requests.

To detect this vulnerability on your system, you can test the /api/file/tus-viewer endpoint by sending cross-origin requests with various Origin headers and inspecting the response headers to see if Access-Control-Allow-Origin reflects the Origin header and if Access-Control-Allow-Credentials is set to true.

A simple way to test this is by using curl commands to simulate cross-origin requests and observe the response headers.

• curl -i -H "Origin: https://malicious.example.com" https://your-papermark-instance/api/file/tus-viewer
• Check if the response headers include Access-Control-Allow-Origin: https://malicious.example.com and Access-Control-Allow-Credentials: true.

If these headers are present as described, the endpoint is vulnerable to the described CORS misconfiguration.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps focus on correcting the CORS misconfiguration in the Papermark viewer upload endpoint.

• Restrict the Access-Control-Allow-Origin header to a specific allowlist of trusted custom domains instead of reflecting the incoming Origin header.
• Alternatively, remove the Access-Control-Allow-Credentials: true header if credentials are not required for cross-origin requests to this endpoint.

These changes prevent attackers from exploiting the endpoint to perform credentialed cross-origin requests that could upload arbitrary files into victim datarooms.

Useful 0 Not Useful 0