CVE-2026-41679CRITICAL 10.0EPSS p61.5%

CVE-2026-41679CVE-2026-41679

Description

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS1.11% probability of exploitation · percentile 61.5% · 2026-06-18T12:00:27Z
Published2026-04-23
Last modified2026-04-27

Underlying weaknesses· 3

CWE-287CWE-862CWE-1188

References

  1. https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7
  2. https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7

3

TypeTargetConfidenceTier
WeaknessInitialization of a Resource with an Insecure Defaultcwe-11880%live
WeaknessImproper Authenticationcwe-2870%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41208
CVE
CVE-2026-22812
CVE
CVE-2026-42302
CVE
CVE-2026-30741
CVE
CVE-2026-41378
CVE
CVE-2026-41349
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.