{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/paperclip/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["paperclip","authentication-bypass","api-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePaperclip, a software application, contains multiple API endpoints that lack proper authentication checks, even when the application is configured in \u0026ldquo;authenticated\u0026rdquo; mode. This vulnerability allows unauthenticated access to sensitive information and functionality. Observed in versions prior to 2026.416.0, the issue impacts the confidentiality and integrity of the application. An attacker can exploit these vulnerabilities to gather reconnaissance information about the deployment, access heartbeat run issues, retrieve agent instructions, and potentially bypass authentication mechanisms via unauthenticated CLI challenge creation. The disclosed information includes API structure, authentication mechanisms, and internal workflows, which can be leveraged for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/health\u003c/code\u003e to obtain deployment mode, exposure setting, auth status, version, and feature flags.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/skills/index\u003c/code\u003e to retrieve a list of available skill endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/skills/paperclip\u003c/code\u003e to leak the agent heartbeat procedure, API endpoints, parameters, authentication mechanisms, and agent coordination protocols.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/heartbeat-runs/:runId/issues\u003c/code\u003e, attempting to access issue data for a heartbeat run by guessing or obtaining a valid \u003ccode\u003erunId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e with a JSON payload containing a command to create a CLI authentication challenge and obtain a \u003ccode\u003eboardApiToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked information to map the internal API structure and plan further attacks or unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003eboardApiToken\u003c/code\u003e obtained in step 5, combined with open registration (if enabled), to persistently generate API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in significant data exposure, including heartbeat run issues, agent instructions, and internal API structure. An attacker can fingerprint the deployment and map the entire internal API for reconnaissance purposes. Successful exploitation of the unauthenticated CLI challenge creation allows for authentication bypass, potentially leading to a full remote code execution chain. The vulnerability affects organizations using Paperclip versions prior to 2026.416.0. A successful attack can compromise sensitive data, facilitate unauthorized access, and lead to further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch to upgrade Paperclip to version 2026.416.0 or later, which addresses the unauthenticated API access vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/heartbeat-runs/:runId/issues\u003c/code\u003e endpoint in \u003ccode\u003eserver/src/routes/activity.ts\u003c/code\u003e using \u003ccode\u003eassertCompanyAccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e endpoint in \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e using \u003ccode\u003eassertBoard\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/skills/index\u003c/code\u003e and \u003ccode\u003e/api/skills/:skillName\u003c/code\u003e endpoints in \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReduce the information exposed by the \u003ccode\u003e/api/health\u003c/code\u003e endpoint by removing sensitive data such as \u003ccode\u003edeploymentMode\u003c/code\u003e, \u003ccode\u003edeploymentExposure\u003c/code\u003e, and \u003ccode\u003eversion\u003c/code\u003e or by requiring authentication via \u003ccode\u003eassertBoard\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Paperclip Unauthenticated Health Endpoint Access\u0026rdquo; to identify unauthorized access attempts to the \u003ccode\u003e/api/health\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-paperclip-auth-bypass/","summary":"Paperclip application suffers from multiple unauthenticated API access vulnerabilities allowing attackers to access sensitive data, gather reconnaissance, and potentially bypass authentication.","title":"Paperclip Unauthenticated API Access Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-paperclip-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["paperclip","broken-access-control","cross-tenant"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in Paperclip, specifically affecting instances running in authenticated mode with open sign-ups enabled. This flaw allows any authenticated user, even without any company memberships, to mint API tokens for agents belonging to other companies. This is due to the absence of \u003ccode\u003eassertCompanyAccess\u003c/code\u003e checks on the \u003ccode\u003e/api/agents/:id/keys\u003c/code\u003e endpoint and other agent lifecycle management endpoints. An attacker can exploit this to gain unauthorized access to sensitive information within the victim tenant, including company metadata, issues, approvals, agent configurations, and adapter settings. The vulnerability was verified on Paperclip version 2026.411.0-canary.8 (commit b649bd4), which is post the 2026.410.0 patch that addressed a related issue. This vulnerability poses a significant risk to multi-tenant Paperclip deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker signs up for a Paperclip account using the default \u003ccode\u003e/api/auth/sign-up/email\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker verifies their account and confirms they have no company memberships via \u003ccode\u003eGET /api/companies\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the ID of a target agent belonging to a different company, potentially through activity feeds or other exposed APIs.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/agents/:id/keys\u003c/code\u003e with a desired name for the API key, targeting the victim agent\u0026rsquo;s ID.\u003c/li\u003e\n\u003cli\u003eThe server responds with a \u003ccode\u003e201\u003c/code\u003e status code, returning a plaintext \u003ccode\u003epcp_*\u003c/code\u003e token. No company access check is performed at this stage.\u003c/li\u003e\n\u003cli\u003eAttacker uses the stolen token as a \u003ccode\u003eBearer\u003c/code\u003e credential in subsequent API requests.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eactorMiddleware\u003c/code\u003e resolves the token to an actor with the victim\u0026rsquo;s company ID, bypassing authorization checks.\u003c/li\u003e\n\u003cli\u003eAttacker can now access sensitive information such as company metadata, issues, approvals, and agent configurations via API endpoints like \u003ccode\u003e/api/companies/:victimId\u003c/code\u003e, \u003ccode\u003e/api/companies/:victimId/issues\u003c/code\u003e, and \u003ccode\u003e/api/agents/:victimAgentId\u003c/code\u003e. They can also pause, terminate, or delete the agent using other vulnerable endpoints.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for a complete bypass of tenancy boundaries in Paperclip. The impact includes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eConfidentiality:\u003c/strong\u003e Unauthorized access to sensitive company data, including metadata, issues, approvals, agent configurations, and adapter settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIntegrity:\u003c/strong\u003e Ability to manipulate agent configurations and trigger actions within the victim tenant, potentially leading to data breaches or malicious activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAvailability:\u003c/strong\u003e Ability to pause, terminate, or delete agents belonging to other companies, disrupting their operations.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe severity is high due to the ease of exploitation, default configurations, and the persistence of the stolen tokens. The vulnerability affects all Paperclip instances running in \u003ccode\u003eauthenticated\u003c/code\u003e mode with open sign-up enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix provided in the advisory to \u003ccode\u003eserver/src/routes/agents.ts\u003c/code\u003e by implementing company access checks (\u003ccode\u003eassertCompanyAccess\u003c/code\u003e) for the \u003ccode\u003e/api/agents/:id/keys\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAudit and apply similar fixes to the sibling lifecycle handlers at \u003ccode\u003e/agents/:id/pause\u003c/code\u003e, \u003ccode\u003e/resume\u003c/code\u003e, \u003ccode\u003e/terminate\u003c/code\u003e, and \u003ccode\u003eDELETE /agents/:id\u003c/code\u003e as these share the same vulnerability.\u003c/li\u003e\n\u003cli\u003eConduct a code-wide sweep for \u003ccode\u003eassertBoard(req)\u003c/code\u003e calls not immediately followed by \u003ccode\u003eassertCompanyAccess\u003c/code\u003e or \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e to identify and address other potential cross-tenant access issues.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune for your environment to detect unauthorized token minting and API access.\u003c/li\u003e\n\u003cli\u003eMonitor Paperclip server logs for unusual API requests to \u003ccode\u003e/api/agents/:id/keys\u003c/code\u003e from users without company memberships.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-paperclip-agent-token-minting/","summary":"A vulnerability in Paperclip allows any authenticated user to mint agent API tokens for other tenants, leading to unauthorized access and control due to missing company access checks.","title":"Paperclip Cross-Tenant Agent API Token Minting Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-paperclip-agent-token-minting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["idor","cross-tenant","api","paperclip","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in the Paperclip control-plane API, specifically in versions prior to 2026.416.0. The vulnerability allows a board user with membership in one company (e.g., Company A) to manipulate agent API keys for agents belonging to a different company (e.g., Company B). This is due to an Insecure Direct Object Reference (IDOR) in the \u003ccode\u003e/agents/:id/keys\u003c/code\u003e routes (GET, POST, DELETE) where the API only validates the user\u0026rsquo;s board-type session but fails to verify access to the company owning the target agent. By exploiting this flaw, an attacker can mint a new agent API key for an agent in the victim tenant, granting them full agent-level access within that tenant. This cross-tenant compromise allows the attacker to execute workflows, read data, and call any endpoint authorized for agents in the victim tenant, effectively breaching tenant isolation. The vulnerability was introduced due to missing company access checks in the key-management routes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates as a board user within Company A.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers or obtains the UUID of an agent belonging to Company B.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/agents/\u0026lt;VICTIM_COMPANY_B_AGENT_ID\u0026gt;/keys\u003c/code\u003e with a name to create a new API key.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks, creates a new API key associated with the victim agent\u0026rsquo;s \u003ccode\u003ecompanyId\u003c/code\u003e and returns the cleartext token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly minted agent token in the \u003ccode\u003eAuthorization\u003c/code\u003e header to authenticate subsequent requests.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s authentication middleware incorrectly sets the \u003ccode\u003ereq.actor\u003c/code\u003e to an agent type associated with the victim\u0026rsquo;s company.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully accesses resources and executes actions within Company B\u0026rsquo;s tenant, bypassing company access checks.\u003c/li\u003e\n\u003cli\u003eThe attacker can enumerate and revoke existing keys using the \u003ccode\u003e/agents/:id/keys\u003c/code\u003e and \u003ccode\u003e/agents/:id/keys/:keyId\u003c/code\u003e endpoints, causing denial of service to legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to a full cross-tenant compromise. An attacker can gain unauthorized access to any tenant within the Paperclip instance, provided they have a minimal valid account (board user in any company) and a victim agent UUID. This allows the attacker to execute workflows, read sensitive data, and call any authorized endpoint within the victim tenant, leading to complete confidentiality, integrity, and availability loss. Furthermore, the attacker can revoke legitimate agent keys, resulting in a denial of service. This represents a scope change, where a vulnerability in Company A\u0026rsquo;s scoping checks results in catastrophic impact within Company B\u0026rsquo;s tenant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement explicit company-access checks on the \u003ccode\u003e/agents/:id/keys\u003c/code\u003e (GET, POST) and \u003ccode\u003e/agents/:id/keys/:keyId\u003c/code\u003e (DELETE) routes before interacting with the service layer. This directly addresses the core issue as described in the advisory\u0026rsquo;s \u0026ldquo;Recommended Fix\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Paperclip Cross-Tenant API Key Creation\u003c/code\u003e to identify unauthorized API key creation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Paperclip Cross-Tenant API Access\u003c/code\u003e to detect unauthorized access using stolen agent tokens.\u003c/li\u003e\n\u003cli\u003eUpgrade to npm/@paperclipai/server version 2026.416.0 or later to patch the vulnerability as mentioned in the advisory\u0026rsquo;s \u0026ldquo;Affected Packages\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T22:49:46Z","date_published":"2026-04-16T22:49:46Z","id":"/briefs/2026-04-paperclip-idor/","summary":"A Paperclip API vulnerability allows a board user from one company to create, list, and revoke agent API keys in another company, leading to full cross-tenant compromise due to insufficient authorization checks on `/agents/:id/keys` routes.","title":"Paperclip Cross-Tenant Agent API Key IDOR Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-paperclip-idor/"}],"language":"en","title":"CraftedSignal Threat Feed — Paperclip","version":"https://jsonfeed.org/version/1.1"}