Paperclip Privilege Escalation Vulnerability Allowing Arbitrary OS Command Execution

A privilege escalation vulnerability has been identified in Paperclip, a Node.js server and React UI application that manages AI agents for business operations. This vulnerability affects versions of the Paperclip server prior to 2026.416.0. It allows an attacker with an Agent API key to execute arbitrary operating system commands on the server host. The issue arises because agents can modify their own configuration through the /agents/:id API endpoint. Specifically, the adapterConfig.workspaceStrategy.provisionCommand field, which is executed by the server during workspace provisioning, can be manipulated to inject shell commands. This exploitation breaks the intended separation between agent configurations and server execution, enabling unauthorized command execution on the host system.

Impact

Exploitation of this vulnerability leads to remote code execution on the Paperclip server host. An attacker could execute commands with the same privileges as the Paperclip server process, potentially allowing them to access sensitive information, modify files or repositories, and execute further malicious actions such as deploying reverse shells or establishing persistence on the host.

Reproduction

To reproduce this vulnerability, an agent must be created using the Paperclip UI or CLI to obtain an Agent API key. Once the key is acquired, the agent's configuration can be updated through the /api/agents/:id endpoint to inject a command into the provisionCommand field. After the command is injected, the agent can be awakened using the /api/agents/:id/wakeup endpoint, which triggers the execution of the injected command on the server host.

Remediation

Users are advised to update to Paperclip server version 2026.416.0 or later, where this vulnerability has been fixed.