Papra, a minimalistic document management platform, has a flaw where API keys with an expiration timestamp are never checked against the current time during authentication. As a result, any key—regardless of whether it has expired—continues to be accepted indefinitely. This weakness allows a holder of an expired key to access protected endpoints as if the key were still valid, effectively granting unauthorized access. The issue represents a failure to perform authentication with a time‑based constraint, classified as CWE‑613.

The vulnerability affects all Papra releases before version 26.4.0. Users running versions earlier than 26.4.0 may find that any API key they have issued remains usable even after its expiresAt value has passed. The product is papra‑hq:papra, and the fix was implemented in the 26.4.0 release.

The CVSS score of 4.3 indicates a medium severity vulnerability. The EPSS score is not available, and the flaw is not listed in the KEV catalog, suggesting limited observed exploitation to date. Based on the description, it is inferred that the attack vector is remote and depends on an attacker’s possession of an API key, which could be obtained via phishing, credential theft, or accidental sharing. Because the key is accepted without expiration validation, an attacker could reuse it indefinitely, creating a persistent risk until a patch is applied. Overall, the risk remains moderate, but continuous unauthorized access could occur if the issue is not addressed promptly.