Critical severity10.0NVD Advisory· Published Apr 23, 2026· Updated Apr 27, 2026
CVE-2026-41679
CVE-2026-41679
Description
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
paperclipainpm | < 2026.410.0 | 2026.410.0 |
@paperclipai/servernpm | < 2026.410.0 | 2026.410.0 |
Affected products
2- cpe:2.3:a:paperclip:paperclipai\/server:*:*:*:*:*:node.js:*:*Range: <2026.416.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-68qg-g8mg-6pr7ghsaADVISORY
- github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7nvdThird Party AdvisoryExploitMitigationWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41679ghsaADVISORY
News mentions
0No linked articles in our index yet.