Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
- Severity:
- High
Description
Several API endpoints in authenticated mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed.
Verified against the latest version.
Discord: sagi03581
Recommendation
Update the @paperclipai/server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2026.416.0
- Patched version(s): 2026.416.0
References
Related Issues
- GenieACS has an unauthenticated access vulnerability via the NBI API endpoint - CVE-2025-56015
- Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys - Vulnerability
- Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise - Vulnerability
- @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck - CVE-2026-39397
You might also like:
- Tags:
- npm
- @paperclipai/server
Anything's wrong? Let us know Last updated on April 16, 2026