CVE-2024-35184 – This vulnerability in Paperless-ngx allows remo... (How to Fix)

Q: What is the severity of CVE-2024-35184?

CVE-2024-35184 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Paperless-ngx allows remote authenticated users to access the API even when API access has been explicitly disabled in the configuration. This affects all Paperless-ngx installations running versions 2.5.0 through 2.8.5 where administrators have disabled API access for security reasons.

📋 TL;DR

This vulnerability in Paperless-ngx allows remote authenticated users to access the API even when API access has been explicitly disabled in the configuration. This affects all Paperless-ngx installations running versions 2.5.0 through 2.8.5 where administrators have disabled API access for security reasons.

💻 Affected Systems

Products:

Paperless-ngx

Versions: 2.5.0 through 2.8.5

Operating Systems: All platforms running Paperless-ngx

Default Config Vulnerable: ✅ No

Notes: Only affects systems where API access has been explicitly disabled via configuration (PAPERLESS_ENABLE_HTTP_API=false).

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated users could bypass API access restrictions to perform unauthorized document operations, potentially accessing, modifying, or deleting sensitive documents.

🟠

Likely Case

Users with valid credentials could access API endpoints they shouldn't have access to, violating intended access controls and potentially exposing sensitive document data.

🟢

If Mitigated

With proper network segmentation and authentication controls, the impact is limited to authorized users gaining additional API access beyond what was intended.

🌐 Internet-Facing: MEDIUM - Internet-facing instances are at risk if attackers obtain valid credentials through other means, but exploitation requires authentication.

🏢 Internal Only: MEDIUM - Internal users with credentials could bypass API restrictions, but requires existing access to the system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid user credentials and knowledge of API endpoints. The vulnerability is in the authentication bypass logic when API is disabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.6

Vendor Advisory: https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-72w4-hxqq-c256

Restart Required: Yes

Instructions:

1. Backup your Paperless-ngx instance and database. 2. Update to version 2.8.6 or later using your deployment method (Docker, manual install, etc.). 3. Restart the Paperless-ngx service. 4. Verify the fix by checking the version and testing API access with PAPERLESS_ENABLE_HTTP_API=false.

🔧 Temporary Workarounds

Disable API via network controls

linux

Block API port access at firewall/load balancer level

# Example iptables rule to block API port (default 8000)
iptables -A INPUT -p tcp --dport 8000 -j DROP

Enable API with strict authentication

all

Keep API enabled but implement strict authentication and access controls

# Set in paperless.conf or environment
PAPERLESS_ENABLE_HTTP_API=true
# Configure strong authentication methods

🧯 If You Can't Patch

Implement network segmentation to restrict API endpoint access to trusted IPs only
Enable detailed API access logging and monitor for unauthorized API usage patterns

🔍 How to Verify

Check if Vulnerable:

Check if running Paperless-ngx version 2.5.0-2.8.5 with PAPERLESS_ENABLE_HTTP_API=false, then test if authenticated users can access /api/ endpoints.

Check Version:

docker exec paperless-ngx python -c "import paperless; print(paperless.__version__)" or check web interface footer

Verify Fix Applied:

After updating to 2.8.6+, verify that with PAPERLESS_ENABLE_HTTP_API=false, API endpoints return proper 403/404 errors for authenticated users.

📡 Detection & Monitoring

Log Indicators:

API access logs showing successful requests when PAPERLESS_ENABLE_HTTP_API=false
Authentication logs showing users accessing /api/ endpoints

Network Indicators:

HTTP requests to /api/* endpoints from authenticated sessions when API should be disabled

SIEM Query:

source="paperless-ngx" (path="/api/*" AND response_status=200) AND message="API disabled"

📊 Metadata

CVE ID: CVE-2024-35184

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-287

Published: May 15, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35184, you might also want to check these: