VYPR
Critical severity10.0NVD Advisory· Published Apr 23, 2026· Updated Apr 27, 2026

CVE-2026-41679

CVE-2026-41679

Description

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
paperclipainpm
< 2026.410.02026.410.0
@paperclipai/servernpm
< 2026.410.02026.410.0

Affected products

4
  • cpe:2.3:a:paperclip:paperclipai:*:*:*:*:*:node.js:*:*+ 1 more
    • cpe:2.3:a:paperclip:paperclipai:*:*:*:*:*:node.js:*:*range: <2026.416.0
    • cpe:2.3:a:paperclip:paperclipai\/server:*:*:*:*:*:node.js:*:*range: <2026.416.0
  • ghsa-coords2 versions
    < 2026.410.0+ 1 more
    • (no CPE)range: < 2026.410.0
    • (no CPE)range: < 2026.410.0

Patches

Vulnerability mechanics

References

3

News mentions

1