CVE-2026-41208

CVE-2026-41208 is a high-severity OS command injection vulnerability in @paperclipai/server (npm), affecting versions < 2026.416.0. It is fixed in 2026.416.0.

Summary

Paperclip contains a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host.
An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host.
The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint.
The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime using:

spawn("/bin/sh", ["-c", command])

As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning.
This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system.
This vulnerability allows remote code execution on the server host.

Details

Rootcause

Agent configuration can be modified through the API endpoint:

PATCH /api/agents/:id

The validation schema allows arbitrary configuration fields:

adapterConfig: z.record(z.unknown())

This allows attackers to inject arbitrary keys into the adapter configuration object.
Later, during workspace provisioning, the server runtime executes a shell command derived directly from this configuration.
Relevant code path:

server/src/services/workspace-runtime.ts

adapterConfig.workspaceStrategy.provisionCommand
        ↓
provisionExecutionWorktree()
        ↓
runWorkspaceCommand(...)
        ↓
spawn("/bin/sh", ["-c", input.command])

Example logic:

const provisionCommand = asString(input.strategy.provisionCommand, "").trim()

await runWorkspaceCommand({
  command: provisionCommand
})

Inside runWorkspaceCommand the command is executed using:

spawn(shell, ["-c", input.command])

Because no validation, escaping, or allowlist is applied, attacker-controlled configuration becomes a direct OS command execution primitive.

Affected Files

server/src/services/workspace-runtime.ts

Functions involved:

realizeExecutionWorkspace()
provisionExecutionWorktree()
runWorkspaceCommand()

Attacker Model

Required privileges:
Attacker needs:

Agent API key

This credential is intended for agent automation and should not grant host-level execution privileges.
Agent credentials may also be exposed to external runtimes, plugins, or third-party agent providers. Allowing such credentials to configure host-executed commands creates a privilege escalation vector.
No board or administrator access is required.

Attacker Chain

Complete exploit chain:

Attacker obtains Agent API key
        ↓
PATCH /api/agents/:id
        ↓
Inject adapterConfig.workspaceStrategy.provisionCommand
        ↓
POST /api/agents/:id/wakeup
        ↓
Server executes workspace provisioning
        ↓
workspace-runtime.ts
        ↓
spawn("/bin/sh -c")
        ↓
Arbitrary command execution on server host

Trust Boundary Violation

Paperclip’s architecture assumes the following separation:

Agent runtime
        ↓
Paperclip control plane
        ↓
Server host OS

Agents should only perform workflow automation tasks through the orchestration layer.

However, because agent-controlled configuration is executed directly by the server runtime, the boundary collapses:

Agent configuration
        ↓
Server command execution

This allows an agent to execute commands outside its intended permissions.

Why This Is a Vulnerability (Not Expected Behavior)

The provisionCommand field appears intended for trusted operators configuring workspace strategies.
However, the current API design allows agents themselves to modify this configuration.
Because agent credentials are designed for automation and may be exposed to agent runtimes, plugins, or external providers, allowing them to configure commands executed by the host introduces a privilege escalation vector.
Therefore:

Operator-controlled configuration → expected feature
Agent-controlled configuration → privilege escalation vulnerability

The vulnerability arises from insufficient separation between configuration authority and execution authority.

PoC

The following PoC demonstrates safe command execution by writing a marker file on the server.
The PoC does not modify system state beyond creating a file.

Step 1, Setup Environment

Run Server:

$env:SHELL = "C:\Program Files\Git\bin\sh.exe"
npx paperclipai onboard --yes

Login Claude:

claude
/login

Step 2, Obtain Agent API key

Create an agent via the UI or CLI and obtain its API key.
Example:

pcp_xxxxxxxxxxxxxxxxxxxxx

Step 3, Identify agent ID

GET /api/agents/me

Step 4, Inject malicious configuration

PATCH /api/agents/{agentId}
Payload: ``` PS E:\BucVe\pocrepo> $patchBody = @{ >> adapterConfig = @{ >> workspaceStrategy = @{ >> type = "git_worktree" >> provisionCommand = "echo PAPERCLIP_RCE > poc_rce.txt" >> } >> } >> } | ConvertTo-Json -Depth 10 ```

Step 5, Trigger execution

POST /api/agents/{agentId}/wakeup

Step 6, Verify command execution

The marker file appears on the server filesystem: ``` ~/.paperclip/worktrees/.../poc_rce.txt ``` Example content: ``` PAPERCLIP_RCE ``` This confirms that attacker-controlled commands executed on the server.

Minimal Patch Suggestion

One possible mitigation is to prevent agent principals from modifying execution-sensitive configuration fields such as workspaceStrategy.provisionCommand.
For example, during agent configuration updates, the server can explicitly reject this field when the request is authenticated using an Agent API key.
Example TypeScript guard:

// reject agent-controlled provisionCommand
if (
  request.auth?.principal === "agent" &&
  body?.adapterConfig?.workspaceStrategy?.provisionCommand
) {
  throw new Error(
    "Agents are not permitted to configure workspaceStrategy.provisionCommand"
  );
}

Additionally, the server should avoid executing arbitrary shell commands derived from configuration values.
Instead of executing:

spawn("/bin/sh", ["-c", command])

prefer structured execution:

spawn(binary, args)

or restrict the command to a predefined allowlist.

Security Impact Statement

An authenticated attacker with an Agent API key can modify their agent configuration to inject arbitrary shell commands into workspaceStrategy.provisionCommand. These commands are executed by the Paperclip server during workspace provisioning via spawn("/bin/sh", ["-c", command]), resulting in arbitrary command execution on the host system.

Disclosure

This vulnerability was discovered during security research on the Paperclip orchestration runtime.
The issue is reported privately to allow maintainers to patch before public disclosure.

Impact

Successful exploitation allows:

Remote command execution on the Paperclip server

Potential attacker actions:

read environment variables
exfiltrate secrets
modify repositories
access database credentials
execute reverse shells
persist on host

Because Paperclip orchestrates multiple agents and repositories, this can lead to full compromise of the deployment environment.
This effectively allows a malicious agent to escape the orchestration layer and execute arbitrary commands on the server host.

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

CVE-2026-41208 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2026.416.0); upgrading removes the vulnerable code path.

Affected versions

@paperclipai/server (< 2026.416.0)

Security releases

@paperclipai/server → 2026.416.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade @paperclipai/server to 2026.416.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-41208? CVE-2026-41208 is a high-severity OS command injection vulnerability in @paperclipai/server (npm), affecting versions < 2026.416.0. It is fixed in 2026.416.0. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is CVE-2026-41208? CVE-2026-41208 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @paperclipai/server are affected by CVE-2026-41208? @paperclipai/server (npm) versions < 2026.416.0 is affected.
  4. Is there a fix for CVE-2026-41208? Yes. CVE-2026-41208 is fixed in 2026.416.0. Upgrade to this version or later.
  5. Is CVE-2026-41208 exploitable, and should I be worried? Whether CVE-2026-41208 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41208 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41208? Upgrade @paperclipai/server to 2026.416.0 or later.

Other vulnerabilities in @paperclipai/server

CVE-2026-41208CVE-2026-41679

Stop the waste.
Protect your environment with Kodem.