Description
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.
Published: 2026-04-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Paperclip versions older than 2026.416.0 expose a privilege‑escalation flaw that allows an attacker possessing an Agent API key to insert and execute arbitrary shell commands on the server host. The flaw originates from an agent’s ability to modify its own adapterConfig via the /agents/:id endpoint, specifically the workspaceStrategy.provisionCommand field, which the server later evaluates during workspace provisioning. This breach of the intended trust boundary turns a normally isolated agent runtime into a full‑blown vector for remote code execution on the host operating system, compromising confidentiality, integrity and availability of the entire infrastructure. CWE‑78 describes this type of command injection vulnerability.

Affected Systems

The vulnerability affects Paperclip’s Node.js server component, identified as @paperclipai/server. All releases prior to 2026.416.0 are impacted. The flaw has been mitigated in @paperclipai/server 2026.416.0 and later updates.

Risk and Exploitability

The issue is scored with a CVSS of 8.8, indicating high severity, while the EPSS score is below 1 %, reflecting a low but non‑zero likelihood of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. Attackers must possess a valid agent credential and can leverage the exposed endpoint to inject commands, resulting in remote code execution. No additional exploitation prerequisites beyond normal agent access are required, so the attack vector is effectively external via the public API.

Generated by OpenCVE AI on April 28, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @paperclipai/server to version 2026.416.0 or later.
  • Revoke or rotate any compromised Agent API keys and enforce least‑privilege access for agents.
  • Disable or remove the ability for agents to modify adapterConfig.workspaceStrategy.provisionCommand if backward compatibility is required.

Generated by OpenCVE AI on April 28, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-265w-rf2w-cjh4 Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Paperclipai
Paperclipai paperclipai/server
Vendors & Products Paperclipai
Paperclipai paperclipai/server

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Paperclip
Paperclip paperclipai
CPEs cpe:2.3:a:paperclip:paperclipai:*:*:*:*:*:node.js:*:*
Vendors & Products Paperclip
Paperclip paperclipai

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.
Title Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Paperclip Paperclipai
Paperclipai Paperclipai/server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:46:01.107Z

Reserved: 2026-04-18T02:51:52.974Z

Link: CVE-2026-41208

cve-icon Vulnrichment

Updated: 2026-04-23T14:41:43.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T02:16:18.670

Modified: 2026-04-27T15:14:22.080

Link: CVE-2026-41208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses