CVE-2026-41208
Privilege Escalation in Paperclip Server via Agent API Command Injection
Publication date: 2026-04-23
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| paperclip | paperclipai | to 2026.416.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary operating system commands on the Paperclip server host, potentially leading to unauthorized access to sensitive data, exfiltration of secrets, and full compromise of the deployment environment.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information, maintaining confidentiality, integrity, and availability of data.
Because the vulnerability enables privilege escalation and remote code execution, it increases the risk of violating these regulatory requirements by exposing sensitive data and critical systems to attackers.
Can you explain this vulnerability to me?
CVE-2026-41208 is a high-severity privilege escalation vulnerability in the Paperclip Node.js server. It allows an attacker who has an Agent API key to execute arbitrary operating system commands on the Paperclip server host.
The vulnerability arises because agents can modify their own adapter configuration through the /agents/:id API endpoint, specifically the field adapterConfig.workspaceStrategy.provisionCommand. This field is executed by the server runtime as a shell command without any validation or escaping.
As a result, an attacker controlling an agent credential can inject malicious shell commands that the server executes during workspace provisioning, breaking the intended trust boundary between the agent runtime and the server host. This leads to remote code execution on the server host with the privileges of the Paperclip server process.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote command execution on the Paperclip server host.
- Attackers can read environment variables and exfiltrate secrets.
- They can modify repositories and access database credentials.
- Attackers can execute reverse shells and maintain persistent access on the host.
- Overall, it can compromise the entire deployment environment where Paperclip is running.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Paperclip server is running a vulnerable version (prior to 2026.416.0) and by monitoring for suspicious modifications to the adapter configuration, specifically the field `adapterConfig.workspaceStrategy.provisionCommand` via the PATCH /api/agents/:id API endpoint.
A proof-of-concept involves injecting a command that writes a marker file (e.g., `poc_rce.txt`) on the server filesystem to confirm arbitrary command execution.
Suggested commands to detect exploitation attempts or presence of the vulnerability include:
- Check for the existence of the marker file created by a proof-of-concept exploit: `ls -l /path/to/poc_rce.txt`
- Monitor API requests to the PATCH /api/agents/:id endpoint for changes to `adapterConfig.workspaceStrategy.provisionCommand`.
- Audit server logs for execution of shell commands triggered by workspace provisioning (POST /api/agents/:id/wakeup).
- Check the Paperclip server version with your package manager or by inspecting the installed version to ensure it is 2026.416.0 or later.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Paperclip server to version 2026.416.0 or later, which contains the fix for this vulnerability.
Additional recommended mitigations are:
- Restrict modification of execution-sensitive configuration fields like `workspaceStrategy.provisionCommand` to trusted board or admin users, denying such changes from agent credentials.
- Implement server-side allowlists to permit only safe configuration keys.
- Avoid shell execution via `spawn("/bin/sh", ["-c", command])`; instead, use structured command execution with explicit binaries and arguments.
- Validate inputs to reject shell operators such as `|`, `&`, `;`, `$`, and backticks.
- Run workspace provisioning in sandboxed or containerized environments to limit the impact of potential exploitation.