Paperclip AI OS Command Injection via Execution Workspace cleanupCommand
A critical OS command injection vulnerability exists in Paperclip AI v2026.403.0 within the execution workspace lifecycle. By injecting arbitrary shell commands into the `cleanupCommand` field via the `PATCH /api/execution-workspaces/:id` endpoint, an attacker can execute these commands on the server when the workspace is archived.
Paperclip AI v2026.403.0 is vulnerable to OS command injection. The vulnerability resides in the execution workspace lifecycle, specifically within the workspace-runtime.ts component. By sending a crafted PATCH request to the /api/execution-workspaces/:id endpoint, an attacker can inject arbitrary shell commands into the cleanupCommand field. When the affected workspace is archived the server executes the injected command via child_process.spawn(shell, ["-c", cleanupCommand]). This vulnerability is exploitable in all deployment modes, including local_trusted (zero authentication) and authenticated (any company user). Successful exploitation allows for remote code execution with the privileges of the Paperclip server process on Linux, macOS, and Windows platforms. Proof of concept demonstrations include arbitrary file write, system information exfiltration, and GUI application launch.
Attack Chain
- The attacker sends a
GETrequest to/api/companiesto obtain a company ID. - The attacker sends a
GETrequest to/api/companies/{company_id}/execution-workspacesto enumerate execution workspaces and retrieve a workspace ID. - If the workspace is not in an
activestate, the attacker sends aPATCHrequest to/api/execution-workspaces/{workspace_id}with the body{"status": "active"}to reactivate it. - The attacker crafts a
PATCHrequest to/api/execution-workspaces/{workspace_id}with a JSON body containing a maliciouscleanupCommandwithin theconfigobject, such as{"config": {"cleanupCommand": "echo RCE_PROOF > \\"/tmp/rce-proof.txt\\""}}. - The server stores the injected
cleanupCommandin the workspace configuration. - The attacker triggers the command injection by sending a
PATCHrequest to/api/execution-workspaces/{workspace_id}to archive the workspace, setting"status": "archived". - The server executes the injected command using
child_process.spawn(shell, ["-c", cleanupCommand]). - The attacker achieves remote code execution on the server, potentially leading to data exfiltration, lateral movement, or other malicious activities.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the Paperclip server with the privileges of the server process. This can lead to a range of severe impacts, including remote code execution, data exfiltration of sensitive information (e.g., system info, environment variables, source code), lateral movement within the network, and potential supply chain attacks by injecting backdoors into managed repositories. In local_trusted mode, this requires zero authentication, making it easily exploitable by malicious local processes or web pages.
Recommendation
- Apply input validation to the
cleanupCommandandteardownCommandfields in the PATCH handler to prevent the injection of malicious commands. - Implement command allowlisting, permitting only a predefined set of safe commands for workspace cleanup.
- Replace
spawn(shell, ["-c", command])withexecFile()using an argument array to mitigate shell metacharacter injection. - Implement proper authorization checks BEFORE processing the PATCH request to validate user permissions.
- Deploy the Sigma rule
DetectPaperclipCleanupCommandInjectionto identify attempts to exploit this vulnerability via the PATCH request to/api/execution-workspaces/:id. - Run cleanup commands in a sandboxed environment to minimize the impact of potential exploits.
Detection coverage 2
Detect Paperclip Cleanup Command Injection
criticalDetects potential OS command injection attempts in Paperclip AI by monitoring PATCH requests to the /api/execution-workspaces/:id endpoint with suspicious cleanupCommand values.
Detect Paperclip Workspace Archive Triggering RCE
criticalDetects suspicious workspace archival requests that may trigger remote code execution due to a command injection vulnerability.
Detection queries are available on the platform. Get full rules →