{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/api-vulnerability/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["paperclip","authentication-bypass","api-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePaperclip, a software application, contains multiple API endpoints that lack proper authentication checks, even when the application is configured in \u0026ldquo;authenticated\u0026rdquo; mode. This vulnerability allows unauthenticated access to sensitive information and functionality. Observed in versions prior to 2026.416.0, the issue impacts the confidentiality and integrity of the application. An attacker can exploit these vulnerabilities to gather reconnaissance information about the deployment, access heartbeat run issues, retrieve agent instructions, and potentially bypass authentication mechanisms via unauthenticated CLI challenge creation. The disclosed information includes API structure, authentication mechanisms, and internal workflows, which can be leveraged for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/health\u003c/code\u003e to obtain deployment mode, exposure setting, auth status, version, and feature flags.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/skills/index\u003c/code\u003e to retrieve a list of available skill endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/skills/paperclip\u003c/code\u003e to leak the agent heartbeat procedure, API endpoints, parameters, authentication mechanisms, and agent coordination protocols.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/heartbeat-runs/:runId/issues\u003c/code\u003e, attempting to access issue data for a heartbeat run by guessing or obtaining a valid \u003ccode\u003erunId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e with a JSON payload containing a command to create a CLI authentication challenge and obtain a \u003ccode\u003eboardApiToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked information to map the internal API structure and plan further attacks or unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003eboardApiToken\u003c/code\u003e obtained in step 5, combined with open registration (if enabled), to persistently generate API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in significant data exposure, including heartbeat run issues, agent instructions, and internal API structure. An attacker can fingerprint the deployment and map the entire internal API for reconnaissance purposes. Successful exploitation of the unauthenticated CLI challenge creation allows for authentication bypass, potentially leading to a full remote code execution chain. The vulnerability affects organizations using Paperclip versions prior to 2026.416.0. A successful attack can compromise sensitive data, facilitate unauthorized access, and lead to further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch to upgrade Paperclip to version 2026.416.0 or later, which addresses the unauthenticated API access vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/heartbeat-runs/:runId/issues\u003c/code\u003e endpoint in \u003ccode\u003eserver/src/routes/activity.ts\u003c/code\u003e using \u003ccode\u003eassertCompanyAccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e endpoint in \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e using \u003ccode\u003eassertBoard\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/skills/index\u003c/code\u003e and \u003ccode\u003e/api/skills/:skillName\u003c/code\u003e endpoints in \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReduce the information exposed by the \u003ccode\u003e/api/health\u003c/code\u003e endpoint by removing sensitive data such as \u003ccode\u003edeploymentMode\u003c/code\u003e, \u003ccode\u003edeploymentExposure\u003c/code\u003e, and \u003ccode\u003eversion\u003c/code\u003e or by requiring authentication via \u003ccode\u003eassertBoard\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Paperclip Unauthenticated Health Endpoint Access\u0026rdquo; to identify unauthorized access attempts to the \u003ccode\u003e/api/health\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-paperclip-auth-bypass/","summary":"Paperclip application suffers from multiple unauthenticated API access vulnerabilities allowing attackers to access sensitive data, gather reconnaissance, and potentially bypass authentication.","title":"Paperclip Unauthenticated API Access Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-paperclip-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33512","avideo","improper-authentication","api-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo is an open-source video platform. Versions up to and including 26.0 are vulnerable to an improper authentication issue within the API plugin. The \u003ccode\u003edecryptString\u003c/code\u003e action, intended for internal decryption processes, is exposed without any authentication requirements. Attackers can exploit this vulnerability to submit ciphertext, which is publicly accessible through endpoints like \u003ccode\u003eview/url2Embed.json.php\u003c/code\u003e, and receive the corresponding plaintext. Successful exploitation allows…\u003c/p\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-avideo-decryptstring/","summary":"WWBN AVideo, up to version 26.0, contains an improper authentication vulnerability (CVE-2026-33512) in the API plugin's `decryptString` action, allowing unauthenticated users to decrypt publicly accessible ciphertext and potentially recover protected tokens/metadata.","title":"WWBN AVideo Unauthenticated decryptString Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-avideo-decryptstring/"}],"language":"en","title":"CraftedSignal Threat Feed — Api-Vulnerability","version":"https://jsonfeed.org/version/1.1"}