CVE-2026-41208: Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @papercl
Summary
Paperclip is a Node.js server and React UI that manages multiple AI agents to run a business. Versions before 2026.416.0 have a privilege escalation vulnerability where an attacker with an agent API key (a credential that identifies an agent) can trick the system into running arbitrary OS commands (unauthorized instructions executed on the computer) on the Paperclip server by injecting malicious commands into a configuration field that the server later executes.
Solution / Mitigation
@paperclipai/server version 2026.416.0 fixes the issue.
Vulnerability Details
8.8(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
network
low
low
none
April 22, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41208
First tracked: April 23, 2026 at 02:09 AM
Classified by LLM (prompt v3) · confidence: 92%