EUVD-2026-25166
GHSA-68qg-g8mg-6pr7
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.
Articles & Coverage 1
AnalysisAI
Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 2026.416.0) via authentication bypass through a six-step API call chain. The attack requires no credentials, no user interaction, and succeeds against default 'authenticated' mode deployments exposed to network access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires network-accessible Paperclip instance (versions < 2026.416.0) running in 'authenticated' mode with default configuration - the exact mode intended for production security. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This represents a critical real-world risk despite no confirmed active exploitation (not in CISA KEV). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for internet-exposed Paperclip instances on common Node.js ports (3000, 8080) using tools like Shodan or Censys, identifying the React UI or API endpoints. Once discovered, the attacker executes a scripted six-step API call sequence against the server, bypassing authentication checks despite 'authenticated' mode being enabled. … |
| Remediation | Immediately upgrade both @paperclipai/server and paperclip npm packages to version 2026.416.0 or later as confirmed by GitHub Security Advisory GHSA-68qg-g8mg-6pr7 (https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Paperclip AI deployments and confirm versions (check @paperclipai/server and paperclip npm package versions). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito
Share
External POC / Exploit Code
Leaving vuln.today