CVE-2026-41679

10.0 CRITICAL
Published: April 23, 2026 Modified: April 27, 2026
View on NVD

Description

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7
Source: security-advisories@github.com
Third Party Advisory Exploit Mitigation
https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Third Party Advisory Exploit Mitigation

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
10.0 / 10.0
EPSS (Exploit Probability)
0.5%
67th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-287 CWE-862 CWE-1188

Affected Vendors

paperclip

Related CVEs

CVE-2026-7855 8.8
CVE-2026-7854 9.8
CVE-2026-42997 7.7
CVE-2026-38428 N/A
CVE-2026-31835 N/A