{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/paperclip/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paperclip","paperclipai","@paperclipai/server"],"_cs_severities":["critical"],"_cs_tags":["paperclip","rce","authentication-bypass","code-execution"],"_cs_type":"advisory","_cs_vendors":["Paperclip"],"content_html":"\u003cp\u003ePaperclip is vulnerable to an unauthenticated remote code execution (RCE) flaw, affecting instances running in \u003ccode\u003eauthenticated\u003c/code\u003e mode with default configurations. This vulnerability allows attackers to gain full control of the system without requiring any user interaction or credentials. The exploit chain consists of several steps, including creating an account without email verification, generating and approving a CLI authentication token, and exploiting a missing authorization check in the company import endpoint. This allows the attacker to deploy a malicious agent configured with a process adapter, enabling arbitrary command execution as the server's OS user. The vulnerability affects versions prior to 2026.410.0 of the \u003ccode\u003epaperclipai\u003c/code\u003e and \u003ccode\u003e@paperclipai/server\u003c/code\u003e npm packages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Creation:\u003c/strong\u003e The attacker creates a new account via the \u003ccode\u003e/api/auth/sign-up/email\u003c/code\u003e endpoint. No invite token or email verification is required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSign In:\u003c/strong\u003e The attacker signs in with the newly created account via the \u003ccode\u003e/api/auth/sign-in/email\u003c/code\u003e endpoint, obtaining a session cookie.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCLI Auth Challenge Creation:\u003c/strong\u003e The attacker creates a CLI auth challenge via the \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e endpoint. No authentication is needed for this step. The response includes a \u003ccode\u003etoken\u003c/code\u003e and \u003ccode\u003eboardApiToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCLI Auth Challenge Approval:\u003c/strong\u003e The attacker approves the CLI auth challenge via the \u003ccode\u003e/api/cli-auth/challenges/\u0026lt;id\u0026gt;/approve\u003c/code\u003e endpoint using the session cookie obtained in step 2. The server only verifies that the caller is a board user, not that they are the challenge creator.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompany Import:\u003c/strong\u003e The attacker exploits the missing \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e check in the \u003ccode\u003e/api/companies/import\u003c/code\u003e endpoint to import a malicious company configuration. This configuration includes an agent with a \u003ccode\u003eprocess\u003c/code\u003e adapter that specifies a command to execute.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Trigger:\u003c/strong\u003e The attacker triggers the malicious agent via the \u003ccode\u003e/api/agents/\u0026lt;agent-id\u0026gt;/wakeup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The \u003ccode\u003eprocess\u003c/code\u003e adapter executes the attacker-specified command (e.g., \u003ccode\u003ebash -c \u0026quot;id \u0026gt; /tmp/pwned.txt \u0026amp;\u0026amp; ...\u0026quot;\u003c/code\u003e), resulting in code execution as the server's OS user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary commands as the Paperclip server's OS user. This grants:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eFull filesystem access (read/write as the server user)\u003c/li\u003e\n\u003cli\u003eAccess to all data in the Paperclip database\u003c/li\u003e\n\u003cli\u003eAbility to pivot to internal network services\u003c/li\u003e\n\u003cli\u003eAbility to disrupt all agent operations\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe attack is fully automated and works against the default deployment configuration, posing a critical risk to affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDisable open registration by default:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/config.ts:172\u003c/code\u003e to change \u003ccode\u003e?? false\u003c/code\u003e to \u003ccode\u003e?? true\u003c/code\u003e and document \u003ccode\u003ePAPERCLIP_AUTH_DISABLE_SIGN_UP\u003c/code\u003e in the deployment guide.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrevent CLI auth self-approval:\u003c/strong\u003e  Modify \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e around line 1700 to reject when the approving user is the same user who created the challenge.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequire email verification:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/auth/better-auth.ts:91\u003c/code\u003e to set \u003ccode\u003erequireEmailVerification: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdd \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e to the import endpoint for \u003ccode\u003enew_company\u003c/code\u003e mode:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/routes/companies.ts\u003c/code\u003e, lines 161-176, to include the \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e check for \u003ccode\u003ePOST /import\u003c/code\u003e and \u003ccode\u003ePOST /import/preview\u003c/code\u003e when \u003ccode\u003emode\u003c/code\u003e is set to \u003ccode\u003enew_company\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor web server logs\u003c/strong\u003e for POST requests to \u003ccode\u003e/api/companies/import\u003c/code\u003e that do not originate from an instance administrator to detect potential exploitation attempts, utilizing the rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/","summary":"An unauthenticated attacker can achieve remote code execution on Paperclip instances by exploiting multiple vulnerabilities, including open signup, self-approval of CLI authentication challenges, and missing authorization checks in the company import endpoint, leading to arbitrary command execution as the server's OS user.","title":"Paperclip Unauthenticated Remote Code Execution via Import Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paperclip"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","remote-code-execution","paperclip"],"_cs_type":"advisory","_cs_vendors":["Paperclip"],"content_html":"\u003cp\u003eA privilege escalation vulnerability exists in Paperclip, a workflow automation and orchestration tool. The vulnerability stems from insufficient validation of agent configuration updates. An attacker possessing a valid Agent API key can exploit this flaw to achieve arbitrary OS command execution on the Paperclip server host. Specifically, by sending a PATCH request to the \u003ccode\u003e/api/agents/:id\u003c/code\u003e endpoint, the attacker can modify the \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e field, injecting malicious shell commands. When the server subsequently executes the workspace provisioning routine, these injected commands are executed, bypassing the intended trust boundary between agent runtime configuration and server host execution. The vulnerability affects Paperclip versions prior to 2026.416.0. Successful exploitation leads to remote code execution on the server host, potentially allowing attackers to compromise the entire deployment environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker obtains a valid Agent API key through legitimate means or compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePATCH\u003c/code\u003e request to the \u003ccode\u003e/api/agents/:id\u003c/code\u003e endpoint, targeting a specific agent.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePATCH\u003c/code\u003e request modifies the agent's \u003ccode\u003eadapterConfig\u003c/code\u003e, specifically injecting a malicious command into the \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e field. For example: \u003ccode\u003eecho PAPERCLIP_RCE \u0026gt; poc_rce.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers workspace provisioning by sending a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/api/agents/:id/wakeup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Paperclip server executes the workspace provisioning routine, which includes running the command specified in \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server executes the injected command using \u003ccode\u003e/bin/sh -c\u003c/code\u003e, effectively running arbitrary shell commands on the host.\u003c/li\u003e\n\u003cli\u003eThe injected command executes successfully, for example creating a file \u003ccode\u003epoc_rce.txt\u003c/code\u003e on the server filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Paperclip server host, enabling them to read environment variables, exfiltrate secrets, or establish a reverse shell.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an attacker the ability to execute arbitrary commands on the Paperclip server, potentially leading to a full compromise of the deployment environment. Since Paperclip orchestrates multiple agents and repositories, attackers could read environment variables, exfiltrate secrets, modify repositories, access database credentials, execute reverse shells, and establish persistence on the host. The vulnerability allows a malicious agent to escape the orchestration layer and gain complete control over the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Paperclip Agent Configuration Modification\u003c/code\u003e to detect unauthorized modifications to the agent configuration via the API.\u003c/li\u003e\n\u003cli\u003eApply the suggested minimal patch by implementing a server-side check to reject modifications to \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e when the request is authenticated using an Agent API key, as detailed in the \u0026quot;Minimal Patch Suggestion\u0026quot; section of the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003e/bin/sh -c\u003c/code\u003e with command line arguments that originate from Paperclip agent configurations using the Sigma rule \u003ccode\u003eDetect Paperclip Command Execution via Workspace Provisioning\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade to Paperclip version 2026.416.0 or later to patch the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-paperclip-privesc/","summary":"A privilege escalation vulnerability in Paperclip allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host by injecting commands into the `adapterConfig.workspaceStrategy.provisionCommand` field via the `/agents/:id` API endpoint, leading to remote code execution.","title":"Paperclip Privilege Escalation via Agent API Key","url":"https://feed.craftedsignal.io/briefs/2024-01-paperclip-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paperclip AI"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","paperclip","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Paperclip"],"content_html":"\u003cp\u003ePaperclip AI v2026.403.0 is vulnerable to OS command injection. The vulnerability resides in the execution workspace lifecycle, specifically within the \u003ccode\u003eworkspace-runtime.ts\u003c/code\u003e component. By sending a crafted \u003ccode\u003ePATCH\u003c/code\u003e request to the \u003ccode\u003e/api/execution-workspaces/:id\u003c/code\u003e endpoint, an attacker can inject arbitrary shell commands into the \u003ccode\u003ecleanupCommand\u003c/code\u003e field. When the affected workspace is archived the server executes the injected command via \u003ccode\u003echild_process.spawn(shell, [\u0026quot;-c\u0026quot;, cleanupCommand])\u003c/code\u003e. This vulnerability is exploitable in all deployment modes, including \u003ccode\u003elocal_trusted\u003c/code\u003e (zero authentication) and \u003ccode\u003eauthenticated\u003c/code\u003e (any company user). Successful exploitation allows for remote code execution with the privileges of the Paperclip server process on Linux, macOS, and Windows platforms. Proof of concept demonstrations include arbitrary file write, system information exfiltration, and GUI application launch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/companies\u003c/code\u003e to obtain a company ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/companies/{company_id}/execution-workspaces\u003c/code\u003e to enumerate execution workspaces and retrieve a workspace ID.\u003c/li\u003e\n\u003cli\u003eIf the workspace is not in an \u003ccode\u003eactive\u003c/code\u003e state, the attacker sends a \u003ccode\u003ePATCH\u003c/code\u003e request to \u003ccode\u003e/api/execution-workspaces/{workspace_id}\u003c/code\u003e with the body \u003ccode\u003e{\u0026quot;status\u0026quot;: \u0026quot;active\u0026quot;}\u003c/code\u003e to reactivate it.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePATCH\u003c/code\u003e request to \u003ccode\u003e/api/execution-workspaces/{workspace_id}\u003c/code\u003e with a JSON body containing a malicious \u003ccode\u003ecleanupCommand\u003c/code\u003e within the \u003ccode\u003econfig\u003c/code\u003e object, such as \u003ccode\u003e{\u0026quot;config\u0026quot;: {\u0026quot;cleanupCommand\u0026quot;: \u0026quot;echo RCE_PROOF \u0026gt; \\\\\u0026quot;/tmp/rce-proof.txt\\\\\u0026quot;\u0026quot;}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server stores the injected \u003ccode\u003ecleanupCommand\u003c/code\u003e in the workspace configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the command injection by sending a \u003ccode\u003ePATCH\u003c/code\u003e request to \u003ccode\u003e/api/execution-workspaces/{workspace_id}\u003c/code\u003e to archive the workspace, setting \u003ccode\u003e\u0026quot;status\u0026quot;: \u0026quot;archived\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server executes the injected command using \u003ccode\u003echild_process.spawn(shell, [\u0026quot;-c\u0026quot;, cleanupCommand])\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the Paperclip server with the privileges of the server process. This can lead to a range of severe impacts, including remote code execution, data exfiltration of sensitive information (e.g., system info, environment variables, source code), lateral movement within the network, and potential supply chain attacks by injecting backdoors into managed repositories. In \u003ccode\u003elocal_trusted\u003c/code\u003e mode, this requires zero authentication, making it easily exploitable by malicious local processes or web pages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation to the \u003ccode\u003ecleanupCommand\u003c/code\u003e and \u003ccode\u003eteardownCommand\u003c/code\u003e fields in the PATCH handler to prevent the injection of malicious commands.\u003c/li\u003e\n\u003cli\u003eImplement command allowlisting, permitting only a predefined set of safe commands for workspace cleanup.\u003c/li\u003e\n\u003cli\u003eReplace \u003ccode\u003espawn(shell, [\u0026quot;-c\u0026quot;, command])\u003c/code\u003e with \u003ccode\u003eexecFile()\u003c/code\u003e using an argument array to mitigate shell metacharacter injection.\u003c/li\u003e\n\u003cli\u003eImplement proper authorization checks BEFORE processing the PATCH request to validate user permissions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectPaperclipCleanupCommandInjection\u003c/code\u003e to identify attempts to exploit this vulnerability via the PATCH request to \u003ccode\u003e/api/execution-workspaces/:id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRun cleanup commands in a sandboxed environment to minimize the impact of potential exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/","summary":"A critical OS command injection vulnerability exists in Paperclip AI v2026.403.0 within the execution workspace lifecycle. By injecting arbitrary shell commands into the `cleanupCommand` field via the `PATCH /api/execution-workspaces/:id` endpoint, an attacker can execute these commands on the server when the workspace is archived.","title":"Paperclip AI OS Command Injection via Execution Workspace cleanupCommand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Paperclip","version":"https://jsonfeed.org/version/1.1"}