{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/paperclipai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["paperclipai","gmail","openai","authorization bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists within the Paperclip AI ecosystem, specifically affecting the \u003ccode\u003ecodex_local\u003c/code\u003e runtime environment. The core issue stems from a trust-boundary failure, where a Paperclip-managed \u003ccode\u003ecodex_local\u003c/code\u003e runtime gains unauthorized access to Gmail connectors that were previously configured within the broader ChatGPT/OpenAI apps UI. This unintended inheritance of connector permissions allows the \u003ccode\u003ecodex_local\u003c/code\u003e environment to perform actions, such as reading emails and sending messages, without explicit authorization within Paperclip itself. This is further complicated by the \u003ccode\u003ecodex_local\u003c/code\u003e runtime\u0026rsquo;s default setting of \u003ccode\u003edangerouslyBypassApprovalsAndSandbox\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e, which effectively disables security controls and amplifies the risk associated with the connector access.  This issue was identified in Paperclip versions up to and including 2026.403.0. Successful exploitation bypasses intended permission boundaries and poses a significant risk to user data and privacy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser connects their Gmail account within the ChatGPT/OpenAI apps UI for use with other OpenAI services.\u003c/li\u003e\n\u003cli\u003eA self-hosted Paperclip instance is deployed, utilizing the \u003ccode\u003ecodex_local\u003c/code\u003e runtime.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003ecodex_local\u003c/code\u003e agent is created and initiated, operating under default settings, which include \u003ccode\u003edangerouslyBypassApprovalsAndSandbox = true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecodex_local\u003c/code\u003e runtime accesses cached OpenAI curated connector state for Gmail found within the \u003ccode\u003ecodex-home/plugins/cache/openai-curated/gmail/.../.app.json\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe agent executes a task designed to inspect mailbox contents, leveraging the inherited Gmail connector.\u003c/li\u003e\n\u003cli\u003eThe agent makes successful \u003ccode\u003emcp__codex_apps__gmail_get_profile\u003c/code\u003e, \u003ccode\u003emcp__codex_apps__gmail_search_emails\u003c/code\u003e, and \u003ccode\u003emcp__codex_apps__gmail_send_email\u003c/code\u003e calls.\u003c/li\u003e\n\u003cli\u003eAn email is sent from the user\u0026rsquo;s Gmail account to an unintended recipient without explicit user authorization or Paperclip configuration.\u003c/li\u003e\n\u003cli\u003eSubsequent \u0026ldquo;retraction\u0026rdquo; emails are sent, further demonstrating the persistent and unauthorized write access to the Gmail account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe unauthorized access to Gmail connectors through Paperclip\u0026rsquo;s \u003ccode\u003ecodex_local\u003c/code\u003e runtime has severe consequences. It enables attackers to perform actions, such as disclosing mailbox identity, accessing email threads, and sending emails to external third parties without explicit user consent. In a real-world scenario, this resulted in the sending of an email from a user\u0026rsquo;s personal Gmail account to an unintended external recipient, and follow-up retraction messages, highlighting the potential for significant reputational damage and data breaches. The inherent trust boundary failure and unsafe default settings significantly amplify the risk, making it critical to address these vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable or restrict the default inheritance of OpenAI app connectors within Paperclip-managed \u003ccode\u003ecodex_local\u003c/code\u003e runs to prevent unintended access to services like Gmail.\u003c/li\u003e\n\u003cli\u003eImplement a default-deny policy for send/write connectors, requiring explicit Paperclip-side opt-in before any outward actions are permitted.\u003c/li\u003e\n\u003cli\u003eModify the \u003ccode\u003ecodex_local\u003c/code\u003e runtime defaults to ensure safer configurations, including setting \u003ccode\u003edangerouslyBypassApprovalsAndSandbox = false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided to detect unauthorized Gmail API calls originating from the Paperclip environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T22:47:40Z","date_published":"2026-04-16T22:47:40Z","id":"/briefs/2024-02-paperclip-gmail-access/","summary":"A Paperclip-managed `codex_local` runtime can access and utilize Gmail connectors connected in the ChatGPT/OpenAI apps UI without explicit Paperclip configuration, allowing unauthorized mailbox access and email sending capabilities due to a trust-boundary failure and dangerous default runtime settings.","title":"Paperclip codex_local Unauthorized Gmail Access","url":"https://feed.craftedsignal.io/briefs/2024-02-paperclip-gmail-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Paperclipai","version":"https://jsonfeed.org/version/1.1"}