CVE-2026-41208 (GCVE-0-2026-41208)
Vulnerability from cvelistv5 – Published: 2026-04-23 00:47 – Updated: 2026-04-23 14:46
VLAI?
Title
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
Summary
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.
Severity ?
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| paperclipai | @paperclipai/server |
Affected:
< 2026.416.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41208",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:41:22.683472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:46:01.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "@paperclipai/server",
"vendor": "paperclipai",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.416.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T00:50:14.160Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4"
}
],
"source": {
"advisory": "GHSA-265w-rf2w-cjh4",
"discovery": "UNKNOWN"
},
"title": "Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41208",
"datePublished": "2026-04-23T00:47:45.824Z",
"dateReserved": "2026-04-18T02:51:52.974Z",
"dateUpdated": "2026-04-23T14:46:01.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-41208",
"date": "2026-04-23",
"epss": "0.00229",
"percentile": "0.45678"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-41208\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-23T02:16:18.670\",\"lastModified\":\"2026-04-23T16:16:26.157\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-78\", \"lang\": \"en\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4\"}], \"affected\": [{\"vendor\": \"paperclipai\", \"product\": \"@paperclipai/server\", \"versions\": [{\"version\": \"\u003c 2026.416.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-23T00:50:14.160Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.\"}], \"source\": {\"advisory\": \"GHSA-265w-rf2w-cjh4\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41208\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-23T14:41:22.683472Z\"}}}], \"references\": [{\"url\": \"https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-23T14:41:43.912Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-41208\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-18T02:51:52.974Z\", \"datePublished\": \"2026-04-23T00:47:45.824Z\", \"dateUpdated\": \"2026-04-23T14:46:01.107Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-41208
Vulnerability from fkie_nvd - Published: 2026-04-23 02:16 - Updated: 2026-04-23 16:16
Severity ?
Summary
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue."
}
],
"id": "CVE-2026-41208",
"lastModified": "2026-04-23T16:16:26.157",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-23T02:16:18.670",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-265W-RF2W-CJH4
Vulnerability from github – Published: 2026-04-16 22:45 – Updated: 2026-04-16 22:45
VLAI?
Summary
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
Details
Summary
Paperclip contains a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime using:
spawn("/bin/sh", ["-c", command])
As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host.
Details
Rootcause
Agent configuration can be modified through the API endpoint:
PATCH /api/agents/:id
The validation schema allows arbitrary configuration fields:
adapterConfig: z.record(z.unknown())
This allows attackers to inject arbitrary keys into the adapter configuration object. Later, during workspace provisioning, the server runtime executes a shell command derived directly from this configuration. Relevant code path:
server/src/services/workspace-runtime.ts
adapterConfig.workspaceStrategy.provisionCommand
↓
provisionExecutionWorktree()
↓
runWorkspaceCommand(...)
↓
spawn("/bin/sh", ["-c", input.command])
Example logic:
const provisionCommand = asString(input.strategy.provisionCommand, "").trim()
await runWorkspaceCommand({
command: provisionCommand
})
Inside runWorkspaceCommand the command is executed using:
spawn(shell, ["-c", input.command])
Because no validation, escaping, or allowlist is applied, attacker-controlled configuration becomes a direct OS command execution primitive.
Affected Files
server/src/services/workspace-runtime.ts
Functions involved:
realizeExecutionWorkspace()
provisionExecutionWorktree()
runWorkspaceCommand()
Attacker Model
Required privileges: Attacker needs:
Agent API key
This credential is intended for agent automation and should not grant host-level execution privileges. Agent credentials may also be exposed to external runtimes, plugins, or third-party agent providers. Allowing such credentials to configure host-executed commands creates a privilege escalation vector. No board or administrator access is required.
Attacker Chain
Complete exploit chain:
Attacker obtains Agent API key
↓
PATCH /api/agents/:id
↓
Inject adapterConfig.workspaceStrategy.provisionCommand
↓
POST /api/agents/:id/wakeup
↓
Server executes workspace provisioning
↓
workspace-runtime.ts
↓
spawn("/bin/sh -c")
↓
Arbitrary command execution on server host
Trust Boundary Violation
Paperclip’s architecture assumes the following separation:
Agent runtime
↓
Paperclip control plane
↓
Server host OS
Agents should only perform workflow automation tasks through the orchestration layer.
However, because agent-controlled configuration is executed directly by the server runtime, the boundary collapses:
Agent configuration
↓
Server command execution
This allows an agent to execute commands outside its intended permissions.
Why This Is a Vulnerability (Not Expected Behavior)
The provisionCommand field appears intended for trusted operators configuring workspace strategies. However, the current API design allows agents themselves to modify this configuration. Because agent credentials are designed for automation and may be exposed to agent runtimes, plugins, or external providers, allowing them to configure commands executed by the host introduces a privilege escalation vector. Therefore:
Operator-controlled configuration → expected feature
Agent-controlled configuration → privilege escalation vulnerability
The vulnerability arises from insufficient separation between configuration authority and execution authority.
PoC
The following PoC demonstrates safe command execution by writing a marker file on the server. The PoC does not modify system state beyond creating a file.
Step 1 — Setup Environment
Run Server:
$env:SHELL = "C:\Program Files\Git\bin\sh.exe"
npx paperclipai onboard --yes
Login Claude:
claude
/login
Step 2 — Obtain Agent API key
Create an agent via the UI or CLI and obtain its API key. Example:
pcp_xxxxxxxxxxxxxxxxxxxxx
Step 3 — Identify agent ID
GET /api/agents/me
Step 4 — Inject malicious configuration
PATCH /api/agents/{agentId}
Payload:
PS E:\BucVe\pocrepo> $patchBody = @{
>> adapterConfig = @{
>> workspaceStrategy = @{
>> type = "git_worktree"
>> provisionCommand = "echo PAPERCLIP_RCE > poc_rce.txt"
>> }
>> }
>> } | ConvertTo-Json -Depth 10
Step 5 — Trigger execution
POST /api/agents/{agentId}/wakeup
Step 6 — Verify command execution
The marker file appears on the server filesystem:
~/.paperclip/worktrees/.../poc_rce.txt
Example content:
PAPERCLIP_RCE
This confirms that attacker-controlled commands executed on the server.
Impact
Successful exploitation allows:
Remote command execution on the Paperclip server
Potential attacker actions:
read environment variables
exfiltrate secrets
modify repositories
access database credentials
execute reverse shells
persist on host
Because Paperclip orchestrates multiple agents and repositories, this can lead to full compromise of the deployment environment. This effectively allows a malicious agent to escape the orchestration layer and execute arbitrary commands on the server host.
Recommended Fix
- Restrict configuration authority Agents should not be able to modify execution-sensitive configuration fields. Example mitigation:
deny adapterConfig.workspaceStrategy modification from agent credentials
- Server-side allowlist Only allow trusted configuration keys. Example:
adapterConfig.workspaceStrategy.provisionCommand
should only be configurable by board/admin actors.
- Avoid shell execution Instead of:
spawn("/bin/sh", ["-c", command])
prefer:
spawn(binary, args)
or a restricted command runner.
- Input validation Reject commands containing shell operators:
|
&
;
$
`
- Sandboxed workspace execution Workspace provisioning should run in a restricted environment (container / sandbox).
Minimal Patch Suggestion
One possible mitigation is to prevent agent principals from modifying execution-sensitive configuration fields such as workspaceStrategy.provisionCommand.
For example, during agent configuration updates, the server can explicitly reject this field when the request is authenticated using an Agent API key.
Example TypeScript guard:
// reject agent-controlled provisionCommand
if (
request.auth?.principal === "agent" &&
body?.adapterConfig?.workspaceStrategy?.provisionCommand
) {
throw new Error(
"Agents are not permitted to configure workspaceStrategy.provisionCommand"
);
}
Additionally, the server should avoid executing arbitrary shell commands derived from configuration values. Instead of executing:
spawn("/bin/sh", ["-c", command])
prefer structured execution:
spawn(binary, args)
or restrict the command to a predefined allowlist.
Security Impact Statement
An authenticated attacker with an Agent API key can modify their agent configuration to inject arbitrary shell commands into workspaceStrategy.provisionCommand. These commands are executed by the Paperclip server during workspace provisioning via spawn("/bin/sh", ["-c", command]), resulting in arbitrary command execution on the host system.
Disclosure
This vulnerability was discovered during security research on the Paperclip orchestration runtime. The issue is reported privately to allow maintainers to patch before public disclosure.
Severity ?
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@paperclipai/server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.416.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:45:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nPaperclip contains a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host.\nAn attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host.\nThe vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint.\nThe configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime using:\n```\nspawn(\"/bin/sh\", [\"-c\", command])\n```\nAs a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning.\nThis breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system.\nThis vulnerability allows remote code execution on the server host.\n\n### Details\n#### Rootcause \nAgent configuration can be modified through the API endpoint:\n```\nPATCH /api/agents/:id\n```\nThe validation schema allows arbitrary configuration fields:\n```\nadapterConfig: z.record(z.unknown())\n```\nThis allows attackers to inject arbitrary keys into the adapter configuration object.\nLater, during workspace provisioning, the server runtime executes a shell command derived directly from this configuration.\nRelevant code path:\n```\nserver/src/services/workspace-runtime.ts\n\nadapterConfig.workspaceStrategy.provisionCommand\n \u2193\nprovisionExecutionWorktree()\n \u2193\nrunWorkspaceCommand(...)\n \u2193\nspawn(\"/bin/sh\", [\"-c\", input.command])\n```\nExample logic:\n```\nconst provisionCommand = asString(input.strategy.provisionCommand, \"\").trim()\n\nawait runWorkspaceCommand({\n command: provisionCommand\n})\n```\nInside runWorkspaceCommand the command is executed using:\n```\nspawn(shell, [\"-c\", input.command])\n```\nBecause no validation, escaping, or allowlist is applied, attacker-controlled configuration becomes a direct OS command execution primitive.\n\n\n#### Affected Files\n```\nserver/src/services/workspace-runtime.ts\n```\nFunctions involved:\n```\nrealizeExecutionWorkspace()\nprovisionExecutionWorktree()\nrunWorkspaceCommand()\n```\n\n#### Attacker Model\nRequired privileges:\nAttacker needs:\n```\nAgent API key\n```\nThis credential is intended for agent automation and should not grant host-level execution privileges.\nAgent credentials may also be exposed to external runtimes, plugins, or third-party agent providers. Allowing such credentials to configure host-executed commands creates a privilege escalation vector.\nNo board or administrator access is required.\n\n#### Attacker Chain\nComplete exploit chain:\n```\nAttacker obtains Agent API key\n \u2193\nPATCH /api/agents/:id\n \u2193\nInject adapterConfig.workspaceStrategy.provisionCommand\n \u2193\nPOST /api/agents/:id/wakeup\n \u2193\nServer executes workspace provisioning\n \u2193\nworkspace-runtime.ts\n \u2193\nspawn(\"/bin/sh -c\")\n \u2193\nArbitrary command execution on server host\n```\n\n#### Trust Boundary Violation\nPaperclip\u2019s architecture assumes the following separation:\n```\nAgent runtime\n \u2193\nPaperclip control plane\n \u2193\nServer host OS\n\nAgents should only perform workflow automation tasks through the orchestration layer.\n\nHowever, because agent-controlled configuration is executed directly by the server runtime, the boundary collapses:\n\nAgent configuration\n \u2193\nServer command execution\n```\nThis allows an agent to execute commands outside its intended permissions.\n\n#### Why This Is a Vulnerability (Not Expected Behavior)\nThe provisionCommand field appears intended for trusted operators configuring workspace strategies.\nHowever, the current API design allows agents themselves to modify this configuration.\nBecause agent credentials are designed for automation and may be exposed to agent runtimes, plugins, or external providers, allowing them to configure commands executed by the host introduces a privilege escalation vector.\nTherefore:\n```\nOperator-controlled configuration \u2192 expected feature\nAgent-controlled configuration \u2192 privilege escalation vulnerability\n```\nThe vulnerability arises from insufficient separation between configuration authority and execution authority.\n\n### PoC\nThe following PoC demonstrates safe command execution by writing a marker file on the server.\nThe PoC does not modify system state beyond creating a file.\n\n#### Step 1 \u2014 Setup Environment\nRun Server:\n```\n$env:SHELL = \"C:\\Program Files\\Git\\bin\\sh.exe\"\nnpx paperclipai onboard --yes\n```\n\u003cimg width=\"1444\" height=\"699\" alt=\"image\" src=\"https://github.com/user-attachments/assets/44401c6d-ec73-4e59-943a-8635d5115c2c\" /\u003e\n\nLogin Claude:\n```\nclaude\n/login\n```\n\n#### Step 2 \u2014 Obtain Agent API key\nCreate an agent via the UI or CLI and obtain its API key.\nExample:\n```\npcp_xxxxxxxxxxxxxxxxxxxxx\n```\n\u003cimg width=\"1457\" height=\"670\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bb1ab898-cf0b-47b1-865a-127ba6fdc43c\" /\u003e\n\n#### Step 3 \u2014 Identify agent ID\n```\nGET /api/agents/me\n```\n\u003cimg width=\"1463\" height=\"639\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cadea916-9e57-4cf4-a11c-7320a22c4ab6\" /\u003e\n\n#### Step 4 \u2014 Inject malicious configuration\n```\nPATCH /api/agents/{agentId}\n```\n\u003cimg width=\"1476\" height=\"697\" alt=\"image\" src=\"https://github.com/user-attachments/assets/612f7a16-b6d6-418e-bcbe-ce602b711b14\" /\u003e\nPayload:\n```\nPS E:\\BucVe\\pocrepo\u003e $patchBody = @{\n\u003e\u003e adapterConfig = @{\n\u003e\u003e workspaceStrategy = @{\n\u003e\u003e type = \"git_worktree\"\n\u003e\u003e provisionCommand = \"echo PAPERCLIP_RCE \u003e poc_rce.txt\"\n\u003e\u003e }\n\u003e\u003e }\n\u003e\u003e } | ConvertTo-Json -Depth 10\n```\n\n#### Step 5 \u2014 Trigger execution\n```\nPOST /api/agents/{agentId}/wakeup\n```\n\u003cimg width=\"1472\" height=\"675\" alt=\"image\" src=\"https://github.com/user-attachments/assets/268c7322-a5f5-4f3a-a4d4-b43efbecb20e\" /\u003e\n\n#### Step 6 \u2014 Verify command execution\n\u003cimg width=\"1231\" height=\"347\" alt=\"image\" src=\"https://github.com/user-attachments/assets/559c483b-077e-42dd-9309-6a5e5c6a3bdc\" /\u003e\nThe marker file appears on the server filesystem:\n```\n~/.paperclip/worktrees/.../poc_rce.txt\n```\nExample content:\n```\nPAPERCLIP_RCE\n```\nThis confirms that attacker-controlled commands executed on the server.\n\n### Impact\nSuccessful exploitation allows:\n```\nRemote command execution on the Paperclip server\n```\nPotential attacker actions:\n```\nread environment variables\nexfiltrate secrets\nmodify repositories\naccess database credentials\nexecute reverse shells\npersist on host\n```\nBecause Paperclip orchestrates multiple agents and repositories, this can lead to full compromise of the deployment environment.\nThis effectively allows a malicious agent to escape the orchestration layer and execute arbitrary commands on the server host.\n\n### Recommended Fix\n1. Restrict configuration authority\nAgents should not be able to modify execution-sensitive configuration fields.\nExample mitigation:\n```\ndeny adapterConfig.workspaceStrategy modification from agent credentials\n```\n2. Server-side allowlist\nOnly allow trusted configuration keys.\nExample:\n```\nadapterConfig.workspaceStrategy.provisionCommand\n\nshould only be configurable by board/admin actors.\n```\n3. Avoid shell execution\nInstead of:\n```\nspawn(\"/bin/sh\", [\"-c\", command])\n```\nprefer:\n```\nspawn(binary, args)\n```\nor a restricted command runner.\n\n4. Input validation\nReject commands containing shell operators:\n```\n|\n\u0026\n;\n$\n`\n```\n5. Sandboxed workspace execution\nWorkspace provisioning should run in a restricted environment (container / sandbox).\n\n### Minimal Patch Suggestion\nOne possible mitigation is to prevent agent principals from modifying execution-sensitive configuration fields such as `workspaceStrategy.provisionCommand`.\nFor example, during agent configuration updates, the server can explicitly reject this field when the request is authenticated using an Agent API key.\nExample TypeScript guard:\n\n```ts\n// reject agent-controlled provisionCommand\nif (\n request.auth?.principal === \"agent\" \u0026\u0026\n body?.adapterConfig?.workspaceStrategy?.provisionCommand\n) {\n throw new Error(\n \"Agents are not permitted to configure workspaceStrategy.provisionCommand\"\n );\n}\n```\nAdditionally, the server should avoid executing arbitrary shell commands derived from configuration values.\nInstead of executing:\n```\nspawn(\"/bin/sh\", [\"-c\", command])\n```\nprefer structured execution:\n```\nspawn(binary, args)\n```\nor restrict the command to a predefined allowlist.\n\n### Security Impact Statement\nAn authenticated attacker with an Agent API key can modify their agent configuration to inject arbitrary shell commands into `workspaceStrategy.provisionCommand`. These commands are executed by the Paperclip server during workspace provisioning via `spawn(\"/bin/sh\", [\"-c\", command])`, resulting in arbitrary command execution on the host system.\n\n### Disclosure\nThis vulnerability was discovered during security research on the Paperclip orchestration runtime.\nThe issue is reported privately to allow maintainers to patch before public disclosure.",
"id": "GHSA-265w-rf2w-cjh4",
"modified": "2026-04-16T22:45:26Z",
"published": "2026-04-16T22:45:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4"
},
{
"type": "PACKAGE",
"url": "https://github.com/paperclipai/paperclip"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…