A maximum-severity vulnerability in the paperclipai server npm package enables any remote, unauthenticated attacker to execute arbitrary commands on affected servers, with no credentials, no user interaction, and no invite code required.
Security researchers and enterprise AI platform operators should treat this as an active exploitation risk requiring immediate patching.
Paperclip is an open-source AI agent orchestration platform that allows organizations to deploy, manage, and interact with autonomous AI agents via a self-hosted server.
The @paperclipai/server npm package forms the core backend runtime, exposing REST APIs for agent control, company management, CLI authentication, and data import/export.
Because it can be deployed in “authenticated mode” for multi-tenant teams, its authorization model is a critical trust boundary, and that boundary has now been broken.
Four-Flaw Chain to Full RCE
The attack is not a single bug but a chain of four independent authorization failures that, when combined, take an anonymous internet user to full OS-level code execution in under 30 seconds.
Flaw 1 – Open Registration by Default
The server configuration variable PAPERCLIP_AUTH_DISABLE_SIGN_UP defaults to false in server/src/config.ts:169-173, meaning anyone can self-register an account with no invite token and no email verification (hardcoded off in server/src/auth/better-auth.ts:89-93).
Critically, this environment variable is not documented in the official deployment guide, leaving operators unaware of the exposure.
Flaw 2 – CLI Auth Self-Approval (No Creator Check)
After creating an account, the attacker can issue a CLI auth challenge via POST /api/cli-auth/challenges an endpoint with no actor check whatsoever.
The approval handler at server/src/routes/access.ts:1687-1704 only verifies that the approver is a “board user,” but never checks whether the approver is the same person who created the challenge. This yields a persistent board-level API key within two API calls.
Flaw 3 – Import Endpoint Authorization Bypass (The Critical RCE Path)
This is the heart of the vulnerability. The direct company creation endpoint POST /api/companies correctly enforces assertInstanceAdmin, but the import endpoint POST /api/companies/import does not apply this check when target.mode is new_company.
The assertInstanceAdmin function is not even imported in companies.ts, meaning a regular board user can create an entirely new company tenant by abusing the import pathway.
Flaw 4 – Unsandboxed Process Adapter Execution
The import bundle accepts a .paperclip.yaml configuration file that specifies agent adapter settings. The process adapter takes a command and args value and calls Node.js spawn() directly with zero sandboxing or validation.
By embedding a malicious process adapter in the import payload, the attacker deploys an agent pre-configured to run arbitrary bash commands.
Triggering the agent via POST /api/agents/<id>/wakeup which only checks assertCompanyAccess (a check that the attacker trivially passes because they own the imported company) causes the server to execute the attacker’s command as the Paperclip server’s OS user.
Six API Calls to Total Takeover
Security Researcher published a fully automated poc_exploit.sh bash script that performs the complete chain and confirms OS-level code execution in under 30 seconds. The six-step sequence is:
POST /api/auth/sign-up/email– create an attacker account (no invite, no verification)POST /api/auth/sign-in/email– obtain a session cookiePOST /api/cli-auth/challenges– create a CLI challenge (unauthenticated endpoint)POST /api/cli-auth/challenges/<id>/approve– self-approve the challenge to obtain a persistent board API keyPOST /api/companies/import– import a malicious bundle containing a process adapter agent that runsbash -c "id > /tmp/pwned.txt"POST /api/agents/<id>/wakeup– trigger the agent, achieving arbitrary command execution as the server OS user
The 2026.410.0 patch that fixed the import bypass did not fully audit related route handlers. A distinct but structurally identical advisory, GHSA-47wq-cj9q-wpmp, was discovered during an Aan I-assisted security scan via variant-hunt analysis of the original RCE chain.
The /api/agents/:id/keys endpoints (GET, POST, DELETE) only call assertBoard and never call assertCompanyAccess, allowing any authenticated user, including a zero-membership account, to mint a plaintext pcp_* agent API token tied to any victim tenant.
This enables full cross-tenant data exfiltration (company metadata, issues, approvals, agent configs) and agent disruption (pause, terminate, delete any agent across any tenant).
An attacker who successfully exploits CVE-2026-41679 gains the following capabilities on the target system:
- Full filesystem read/write as the Paperclip server OS user
- Complete database access to all Paperclip-stored data, AI agent configurations, API keys, and tenant information
- Internal network pivoting from the compromised server host
- Disruption of all AI agent operations across every tenant on the instance
- Persistent access through a valid board API key that survives server restarts
The vulnerability is classified under three CWEs: CWE-287 (Improper Authentication), CWE-862 (Missing Authorization), and CWE-1188 (Initialization of a Resource with an Insecure Default).
Affected Versions and Patch
Published on April 9, 2026, under GitHub Security Advisory GHSA-68qg-g8mg-6pr7 and assigned CVE-2026-41679, this critical flaw carries a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and affects all paperclipai server and paperclipai npm package versions below 2026.416.0.
| Component | Affected Versions | Patched Version |
|---|---|---|
@paperclipai/server (npm) | < 2026.416.0 | 2026.416.0 |
paperclipai (npm) | < 2026.416.0 | 2026.416.0 |
Operators should immediately upgrade to version 2026.416.0 or later.
Mitigations
Beyond patching, security teams should apply the following hardening measures:
- Disable open registration by default – Set
PAPERCLIP_AUTH_DISABLE_SIGN_UP=truein your deployment environment or change the default inserver/src/config.ts:172from?? falseto?? true - Block CLI auth self-approval – Patch
server/src/routes/access.tsaround line 1700 to reject approval when the approver and the challenge creator are the same user - Enable email verification – Set
requireEmailVerification: trueinserver/src/auth/better-auth.ts:91to raise the bar for throwaway attacker accounts - Add
assertInstanceAdminto import endpoints – Apply the same admin check to bothPOST /companies/importandPOST /companies/import/previewfornew_companymode - Audit all
assertBoard-only handlers – Perform a code-wide sweep forassertBoard(req)calls not followed byassertCompanyAccessorassertInstanceAdmin, as the pattern is systemic across route files - Network-restrict the Paperclip port – Place the server (default port 3100) behind a firewall or VPN; never expose it directly to the public internet
Frequently Asked Questions
Q1: Does this vulnerability require any existing credentials or prior access to exploit?
No, the entire attack chain, from zero access to OS-level command execution, requires no credentials, no invite code, no email verification, and no user interaction on the target’s part.
Q2: Is the patched version 2026.416.0 fully safe, or are there residual risks from the sibling advisory GHSA-47wq-cj9q-wpmp?
The 2026.416.0 patch closes the primary RCE path. Still, operators should verify that the cross-tenant token minting flaw (GHSA-47wq-cj9q-wpmp) is also addressed, as it was discovered post-patch and affects the same default deployment configuration.
Q3: How can I tell if my Paperclip instance has already been compromised via this vulnerability?
Look for unexpected files in /tmp/ (e.g., pwned.txt), newly created companies or agents you don’t recognize, and unusual session or API key activity in your authentication logs from the period before patching.
Q4: Does restricting public internet access to the Paperclip port fully mitigate CVE-2026-41679 without upgrading?
Network isolation significantly reduces risk but does not eliminate it; any internal user or compromised internal host could still execute the full six-step chain, so upgrading to 2026.416.0 remains the authoritative fix.
Site: https://thecybrdef.com
About the Author
