CVE-2026-41208

CVE-2026-41208 is a privilege escalation vulnerability in the @paperclipai/server component of Paperclip, a Node.js server and React UI that orchestrates teams of AI agents to run a business. Versions prior to 2026.416.0 are affected, where the issue stems from agents being permitted to update their own adapterConfig via the /agents/:id API endpoint. Specifically, the adapterConfig.workspaceStrategy.provisionCommand field is modifiable and subsequently executed by the server runtime during workspace provisioning, enabling OS command injection classified under CWE-78. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to remote code execution potential on the server host.

An attacker requires only an Agent API key, representing low privileges within the agent runtime, to exploit this flaw. By sending a crafted request to the /agents/:id endpoint, the attacker can inject arbitrary shell commands into the provisionCommand field of their agent's configuration. When the Paperclip server processes workspace provisioning, these commands execute with the server's host privileges, breaching the trust boundary between agent configuration and server execution. This allows escalation from agent-level access to full remote code execution on the underlying host system, potentially compromising confidentiality, integrity, and availability.

The GitHub security advisory at https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4 details the issue and confirms that @paperclipai/server version 2026.416.0 addresses the vulnerability by preventing such unauthorized configuration updates.

In the context of AI agent orchestration platforms like Paperclip, this flaw underscores risks in systems delegating execution to untrusted agent configurations, though no public evidence of real-world exploitation is noted as of the CVE publication on 2026-04-23.