CVE-2026-41679
Last modified
CVE-2026-41679 is a critical-severity vulnerability rated 10/10 on the CVSS scale. Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. EPSS estimates a 1.97% chance of exploitation in the next 30 days.
Description
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Paperclip | Paperclipai | < 2026.416.0 |
| Paperclip | Paperclipai\/Server | < 2026.416.0 |
References
- https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7Exploit, Mitigation, Third Party Advisory
- https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7Exploit, Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-41679?
How severe is CVE-2026-41679?
How do I fix CVE-2026-41679?
Are you affected by CVE-2026-41679?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST