CVE-2026-41679
Received Received - Intake
Unauthenticated Remote Code Execution in Paperclip Server

Publication date: 2026-04-23

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-23
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-41679
EUVD
EUVD-2026-25166
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
paperclip paperclipai to 2026.416.0 (exc)
paperclip paperclipai/server to 2026.416.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your Paperclip instance to version 2026.416.0 or later, as this version patches the issue.

Since the vulnerability allows unauthenticated remote code execution on default configurations running in authenticated mode, applying the patch is critical to prevent exploitation.


How can this vulnerability impact me? :

This vulnerability allows an attacker to gain full remote code execution on the affected Paperclip server. This means the attacker can run any code they choose on the server, potentially leading to complete system compromise, data theft, service disruption, or further attacks within the network.


Can you explain this vulnerability to me?

This vulnerability affects Paperclip, a Node.js server and React UI that manages AI agents for business operations. Before version 2026.416.0, an unauthenticated attacker could remotely execute arbitrary code on any network-accessible Paperclip instance running in authenticated mode with default settings. The attack requires no user interaction or credentials and involves a chain of six API calls. It is fully automated and exploits the default deployment configuration.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an unauthenticated attacker to achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. Such a severe security flaw, with a CVSS score of 10.0 indicating critical impact on confidentiality, integrity, and availability, could lead to unauthorized access to sensitive data and systems.

Given the potential for unauthorized data access and system compromise, this vulnerability could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart