CVE-2026-41208

HighPublic PoCRCE

Published: 23 April 2026

Published

23 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 52.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41208 is a high-severity OS Command Injection (CWE-78) vulnerability in Paperclip Paperclipai. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege by ensuring agent API keys cannot modify sensitive server-executed fields like adapterConfig.workspaceStrategy.provisionCommand, directly preventing privilege escalation.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of access control policies to block unauthorized updates to agent configurations via the /agents/:id endpoint, stopping the injection of arbitrary OS commands.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to make changes to system configurations, such as agent adapterConfig, preventing malicious modifications that lead to server host command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Privilege escalation via OS command injection (CWE-78) in a remote API endpoint (/agents/:id) of a Node.js server, enabling exploitation for privilege escalation (T1068), exploitation of remote services (T1210), and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to…

execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime. As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host. @paperclipai/server version 2026.416.0 fixes the issue.

Deeper analysisAI

CVE-2026-41208 is a privilege escalation vulnerability in the @paperclipai/server component of Paperclip, a Node.js server and React UI that orchestrates teams of AI agents to run a business. Versions prior to 2026.416.0 are affected, where the issue stems from agents being permitted to update their own adapterConfig via the /agents/:id API endpoint. Specifically, the adapterConfig.workspaceStrategy.provisionCommand field is modifiable and subsequently executed by the server runtime during workspace provisioning, enabling OS command injection classified under CWE-78. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to remote code execution potential on the server host.

An attacker requires only an Agent API key, representing low privileges within the agent runtime, to exploit this flaw. By sending a crafted request to the /agents/:id endpoint, the attacker can inject arbitrary shell commands into the provisionCommand field of their agent's configuration. When the Paperclip server processes workspace provisioning, these commands execute with the server's host privileges, breaching the trust boundary between agent configuration and server execution. This allows escalation from agent-level access to full remote code execution on the underlying host system, potentially compromising confidentiality, integrity, and availability.

The GitHub security advisory at https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4 details the issue and confirms that @paperclipai/server version 2026.416.0 addresses the vulnerability by preventing such unauthorized configuration updates.

In the context of AI agent orchestration platforms like Paperclip, this flaw underscores risks in systems delegating execution to untrusted agent configurations, though no public evidence of real-world exploitation is noted as of the CVE publication on 2026-04-23.