Paperclip AI — Unauthenticated RCE via Four-Flaw Authorization Chain (CVE-2026-41679)

AI relevance: Paperclip AI is an open-source autonomous agent orchestration platform — a CVSS 10 flaw in its server means any unauthenticated attacker can deploy and trigger arbitrary agent commands on the host OS, directly compromising AI agent infrastructure.

CVE-2026-41679 is a maximum-severity (CVSS 10) unauthenticated remote code execution vulnerability in Paperclip AI, a Node.js/React platform for deploying and managing autonomous AI agents. The vulnerability is not a single bug but a chain of four independent authorization failures that allow any anonymous internet user to achieve full OS-level code execution on a Paperclip server in under 30 seconds and six API calls.

The four-flaw chain

The attack path exploits multiple gaps in Paperclip's authorization model:

• Open registration by default. PAPERCLIP_AUTH_DISABLE_SIGN_UP defaults to false in the source, meaning anyone can self-register without an invite token or email verification. The variable is undocumented in the official deployment guide.
• CLI auth self-approval. The POST /api/cli-auth/challenges endpoint has no actor check. An attacker creates a challenge and then self-approves it via the approval endpoint (which only checks "board user" status, not challenge ownership), obtaining a persistent board-level API key.
• Import endpoint authorization bypass. While POST /api/companies correctly enforces assertInstanceAdmin, the import endpoint POST /api/companies/import skips this check when target.mode is new_company. The assertInstanceAdmin function is not even imported in the file — a complete omission.
• Unsandboxed process adapter execution. The import bundle accepts a .paperclip.yaml specifying agent adapter settings. The process adapter takes command and args values and calls Node.js spawn() directly with zero sandboxing or input validation.

Triggering the agent via POST /api/agents/<id>/wakeup executes the attacker's command as the Paperclip server's OS user. A fully automated poc_exploit.sh demonstrates the complete chain end-to-end.

Why it matters

• Paperclip is designed for multi-tenant enterprise deployments — broken authorization at the orchestration layer means any exposed instance is a single-attack surface for full server compromise.
• The flaw affects all @paperclipai/server versions below 2026.416.0. A public PoC exists, raising active exploitation risk.
• This mirrors a broader pattern in agent platforms: when AI orchestration services expose agent execution endpoints with weak tenant isolation, a single auth bypass cascades into host-level RCE.

What to do

• Upgrade @paperclipai/server to version 2026.416.0 or later immediately.
• Set PAPERCLIP_AUTH_DISABLE_SIGN_UP=true and require invite-based registration.
• Deploy Paperclip servers behind authenticated reverse proxies; never expose the API directly to the internet.
• Run the server process with minimal privileges and in a container with no host filesystem access.

References

• GitHub Security Advisory — GHSA-68qg-g8mg-6pr7
• NVD — CVE-2026-41679
• Paperclip RCE: Unauthenticated RCE via Six API Calls — TheHackerWire
• CVE-2026-41679 Paperclip AI RCE — TheCybrDef