Paperclip: OS Command Injection via Execution Workspace cleanupCommand

Description

| Field | Value | |——-|——-| | Affected Software | Paperclip AI v2026.403.0 | | Affected Component | Execution Workspace lifecycle (`workspace-runtime.

Recommendation

Update the @paperclipai/server package to the latest compatible version. Followings are version details:

• Affected version(s): < 2026.416.0
• Patched version(s): 2026.416.0

References

• GHSA-vr7g-88fq-vhq3
• CWE-78
• OWASP 2021-A3

Related Issues

• Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution - CVE-2026-41208
• Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys - Vulnerability
• Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses - Vulnerability
• paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679

You might also like:

How do hackers hack websites?

These 7 PHP mistakes leave your website open to the hackers

Update Cheat Sheet for Developers

Tags:

npm

@paperclipai/server