10
CVE-2026-41679
- EPSS 1.97%
- Veröffentlicht 23.04.2026 00:53:16
- Zuletzt bearbeitet 27.04.2026 14:58:34
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPaperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Paperclip ≫ Paperclipai SwPlatformnode.js Version < 2026.416.0
Paperclip ≫ Paperclipai/server SwPlatformnode.js Version < 2026.416.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.97% | 0.778 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-1188 Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7