CVE-2026-41679

Paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass

Assigner: GitHub_M
Reserved: 22.04.2026 Published: 23.04.2026 Updated: 23.04.2026

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	paperclipai
Product	paperclip
Versions	Version < 2026.410.0 is affected

Vendor

paperclipai

Product

paperclip

Versions

Version < 2026.410.0 is affected

Vendor	paperclipai
Product	@paperclipai/server
Versions	Version < 2026.410.0 is affected

Vendor

paperclipai

Product

@paperclipai/server

Versions

Version < 2026.410.0 is affected

References

Problem Types

CWE-287: Improper Authentication CWE
CWE-862: Missing Authorization CWE
CWE-1188: Insecure Default Initialization of Resource CWE

CVE-2026-41679 PUBLISHED

Paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass

Metrics

Product Status

References

Problem Types