CRITICAL🇵🇱 Wersja polska

CVE-2026-41679

CVSS 10.0v3.1pub. 2026-04-23upd. 2026-04-27

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.

🤖 AI Analysis
How it works

The attacker executes a chain of six API calls on a publicly or network-accessible Paperclip instance, bypassing authentication mechanisms (Auth Bypass) resulting from CWE-287 (improper authentication), CWE-862 (missing authorization), and CWE-1188 (insecure default resource initialization) errors. The entire attack is fully automated, requires no user interaction or knowledge of login credentials — only the target's network address is needed. The vulnerability exists in versions prior to 2026.416.0 with default deployment configuration.

Impact

The attacker gains complete remote code execution (RCE) on the victim's server with the ability to compromise the confidentiality, integrity, and availability of the system — CVSS assigns maximum scores in all three categories (C:H/I:H/A:H) with scope extending beyond the vulnerable service (S:C).

Mitigation & patch

Paperclip must be immediately updated to version 2026.416.0 or later, which contains a fix for the described vulnerability. If immediate update is not possible, restrict network access to the Paperclip instance only to trusted hosts (firewall, network segmentation) and do not expose the server publicly.

Who is affected

Paperclip (Paperclipai/Server and Paperclipai) in all versions prior to 2026.416.0, running with default configuration in 'authenticated' mode

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Paperclip Paperclipai

    APP
    Paperclip
    < 2026.416.0
  • Paperclip Paperclipai\/server

    APP
    Paperclip
    < 2026.416.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-41208HIGH8.8ten sam produkt

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions o...