CVE-2026-41679: Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 202
Summary
Paperclip is a Node.js server (a JavaScript runtime that runs outside web browsers) with a React UI (a framework for building user interfaces) that manages multiple AI agents to automate business tasks. Before version 2026.416.0, an attacker without any login credentials could gain full remote code execution (the ability to run arbitrary commands on the target system) on any publicly accessible Paperclip instance using its default settings, simply by knowing the server's address and making six automated API calls (requests to the server's functions).
Solution / Mitigation
Update to version 2026.416.0, which patches the vulnerability.
Vulnerability Details
10(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
network
low
none
none
April 22, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41679
First tracked: April 23, 2026 at 02:09 AM
Classified by LLM (prompt v3) · confidence: 92%