paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
- Severity:
- High
Description
An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. No user interaction, no credentials, just the target’s address. The entire chain is six API calls.
I verified every step against the latest version.
Recommendation
Update the @paperclipai/server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2026.410.0
- Patched version(s): 2026.410.0
References
- GHSA-68qg-g8mg-6pr7
- CVE-2026-41679
- CWE-1188
- CWE-287
- CWE-862
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
- FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
- Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step - CVE-2026-35216
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
You might also like:
- Tags:
- npm
- @paperclipai/server
Anything's wrong? Let us know Last updated on April 27, 2026