Remote Code Execution Vulnerability in Paperclip by Paperclip AI
CVE-2026-41679

10CRITICAL

Key Information:

Vendor: Paperclipai
Status: Paperclip; @paperclipai/server
Vendor: CVE Published:; 23 April 2026

🔔 Create Paperclipai Vulnerability Alert

What is CVE-2026-41679?

A critical vulnerability exists in Paperclip, a Node.js server and React UI designed to manage AI agents for business operations. Before the release of version 2026.416.0, an unauthenticated attacker could exploit this flaw to achieve full remote code execution on any Paperclip instance operating in 'authenticated' mode with default settings. The attack is highly automated, requiring no user interaction or authentication, and takes advantage of a sequence of six specific API calls. Users are urged to update to the latest version to mitigate these security risks. For further details, please refer to the security advisory.

Affected Version(s)

@paperclipai/server < 2026.410.0

paperclip < 2026.410.0

References

https://github.com/paperclipai/paperclip/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41679 Data

JSON