Ddos 
In the rapidly expanding frontier of AI-driven business, Paperclip has emerged as a sleek Node.js and React-based orchestrator, designed to manage teams of autonomous agents. However, a new technical report reveals that the very platform meant to help you “run a business” might have inadvertently handed the keys to that business to anyone with an internet connection.
Security researchers have unmasked three distinct and devastating vulnerabilities that could lead to full system takeovers and massive data leaks across different organizations.
OS Command Injection (CVSS 9.8)
The most severe flaw strikes at the core of how Paperclip handles its “execution workspaces.” This Critical vulnerability allows an attacker to inject arbitrary shell commands directly into the system.
The issue lies in the cleanupCommand field. When a workspace is archived, the server executes this command verbatim using child_process.spawn(shell, [“-c”, cleanupCommand]) without any input validation or sanitization. In the default local_trusted mode for desktop installations, this attack requires zero authentication.
Researchers demonstrated the gravity of this flaw with three independent proofs of exploitation:
- Arbitrary file writing to the local disk.
- Full system information exfiltration (leveraging systeminfo).
- GUI application launch (the classic “calc.exe” demonstration).
Full Cross-Tenant Compromise (CVSS 10)
The second vulnerability shatters the boundaries between different companies using the same Paperclip instance. Due to a failure in scoping checks, any board-authenticated user in “Company A” can effectively impersonate an agent in “Company B”.
By simply supplying a victim agent’s UUID in the URL path, an attacker can list, create, or even revoke API keys for any agent in a completely separate tenant. The report warns that this allows an attacker to “mint agent API keys inside any other company in the same instance and then act as that agent executing the workflows [and] reading the data”.
Cross-Tenant Listing Leak (CVSS 10)
While the first two flaws target control, the third focuses on intelligence. An information disclosure vulnerability allows any user to access sensitive metadata for every agent registered on the platform, regardless of which company they belong to.
This “Listing Leak” exposes:
- Internal IDs and Names of agents.
- Activity Telemetry such as lastUsedAt and revokedAt timestamps.
Because these UUIDs are often exposed through routine activity feeds and heartbeats, an attacker can easily harvest the “victim agent UUID” required to launch the cross-tenant key-minting attack mentioned above.
Remediation
These vulnerabilities affect all versions of Paperclip up to 2026.410.0-canary.1. To secure your AI-driven operations, the following actions are mandatory:
- Update Immediately: Transition to v2026.416.0 or later.
- Sanitize Inputs: Developers are urged to reject or sanitize cleanupCommand and teardownCommand fields.
- Switch Execution Methods: The report recommends replacing spawn(shell, [“-c”, command]) with execFile() to prevent shell-based injection.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
