{"data":{"id":"eae7f315-0076-4537-9c39-ccf4635a5e40","title":"GHSA-47wq-cj9q-wpmp: Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys","summary":"Paperclip, an agent management system, has a critical authorization bypass vulnerability where three API endpoints for managing agent API keys (`POST /api/agents/:id/keys`, `GET /api/agents/:id/keys`, and `DELETE /api/agents/:id/keys/:keyId`) only verify that a user is logged in, but fail to check if they belong to the company that owns the target agent. This allows any authenticated user to create plaintext API tokens for agents in other companies, effectively bypassing the multi-tenant security boundary (the separation that prevents one company's data from being accessed by another).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-47wq-cj9q-wpmp","publishedAt":"2026-04-16T22:48:32.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["@paperclipai/server@< 2026.416.0 (fixed: 2026.416.0)"],"affectedVendors":[],"affectedVendorsRaw":["Paperclip"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-16T22:48:32.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}