top of page
perceptive_background_267k.jpg

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain …

Published:

22 April 2026 at 22:00:00

Alert date:

23 April 2026 at 03:01:27

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

A privilege escalation vulnerability in Paperclip AI server versions prior to 2026.416.0 allows attackers with Agent API keys to execute arbitrary OS commands on the server host. The vulnerability occurs through the /agents/:id API endpoint where agents can update their adapterConfig, and the provisionCommand field is executed by the server runtime. This breaks the trust boundary between agent runtime and server host, enabling remote code execution. The issue is fixed in version 2026.416.0.

Technical details

Mitigation steps:

Affected products:

@paperclipai/server
Paperclip AI

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41208
https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page