Overview
CVE-2026-41679 describes a broken-authentication class of vulnerability in Paperclip, a Node.js server with a React UI that orchestrates AI agents. Before version 2026.416.0, an unauthenticated attacker could achieve full remote code execution on any network-accessible Paperclip instance operating in authenticated mode with default configuration. The attack requires no user interaction and relies on a default configuration and weak authentication/authorization handling. The chain of six API calls is designed to automate the breach against the default deployment, enabling the attacker to gain control of the host and execute arbitrary code. This aligns with CWE-287 (Improper Authentication), CWE-862 (Missing Authorization), and CWE-1188 (Validation of Input and Output), highlighting failures in verifying identity, restricting access to admin surfaces, and validating critical request data across endpoints. In Node.js/Express deployments, this pattern manifests when an app assumes authenticated state or grants admin permissions by default, unless an explicit, correctly scoped token is provided. The result is a broad and uncontrollable escalation path that attackers can leverage without valid credentials or user interaction.
Affected Versions
Paperclip < 2026.416.0
Code Fix Example
Node.js (Express) API Security Remediation
/* Vulnerable pattern and the fix side by side in one file (Node.js/Express) */
const express = require('express');
// Vulnerable application (default-auth bypass)
const appV = express();
// BREAKING: Default to admin if no token is provided
appV.use((req, res, next) => {
const token = req.headers['x-auth-token'];
if (!token) {
// Vulnerability: unauthenticated users are treated as admin
req.user = { id: 'default-admin', role: 'admin' };
} else if (token !== process.env.ADMIN_TOKEN) {
return res.status(401).send('Unauthorized');
} else {
req.user = { id: 'token-user', role: 'admin' };
}
next();
});
appV.get('/admin/ping', (req, res) => {
res.send('VULNERABLE: admin ping accessible');
});
// Fixed application (explicit, strict auth)
const appF = express();
// BREAKING: Do not allow unauthenticated access; require a valid token
appF.use((req, res, next) => {
const token = req.headers['x-auth-token'];
if (!token) {
return res.status(401).send('Unauthorized');
}
if (token !== process.env.ADMIN_TOKEN) {
return res.status(403).send('Forbidden');
}
next();
});
appF.get('/admin/ping', (req, res) => {
res.send('FIXED: admin ping secured');
});
const http = require('http');
http.createServer(appV).listen(3001, () => console.log('VULNERABLE server listening on 3001'));
http.createServer(appF).listen(3002, () => console.log('FIXED server listening on 3002'));