Paperclip, a Node.js and React-based platform for managing teams of autonomous AI agents, patched three vulnerabilities on April 16, 2026 in v2026.416.0. Security researchers published analysis on April 21 via SecurityOnline detailing the severity: a CVSS 9.8 OS command injection, a CVSS 10 cross-tenant compromise, and a CVSS 10 cross-tenant listing leak. All versions through 2026.410.0-canary.1 are affected. The issues are resolved in the current release.
The Command Injection
The most severe flaw targets Paperclip’s workspace archival process. When a workspace is archived, the server passes the cleanupCommand field directly to child_process.spawn(shell, ["-c", cleanupCommand]) with no input validation or sanitization, according to SecurityOnline.
In the default local_trusted mode for desktop installations, this requires zero authentication. Researchers demonstrated three exploitation paths: arbitrary file writing to the local disk, full system information exfiltration via systeminfo, and GUI application launch. Any value placed in the cleanupCommand field executes as a shell command with the server’s privileges.
The same pattern exists in the teardownCommand field, which runs when workspaces are destroyed.
Cross-Tenant Compromise
The second vulnerability breaks tenant isolation entirely. Due to missing scope checks on API key management endpoints, any board-authenticated user in one company can supply a victim agent’s UUID in the URL path and list, create, or revoke API keys for agents belonging to a completely separate tenant on the same Paperclip instance, per SecurityOnline.
An attacker who mints an API key for another tenant’s agent inherits that agent’s permissions: executing workflows, reading data, and performing any action the compromised agent is authorized to take. The CVSS score is 10.
The third flaw enables the second. A listing leak exposes internal IDs, names, lastUsedAt timestamps, and revokedAt metadata for every agent registered on the platform, regardless of tenant. Because agent UUIDs are exposed through routine activity feeds and heartbeats, an attacker can harvest the specific UUID required to launch the cross-tenant key-minting attack.
The Architecture Pattern
The spawn(shell, ["-c", command]) pattern is a well-documented antipattern in Node.js security. It passes a string directly to the system shell for interpretation, meaning any shell metacharacters in the input become executable instructions. The recommended replacement, execFile(), bypasses shell interpretation entirely and executes the command binary directly.
For teams building agent orchestration platforms, the Paperclip disclosure highlights a specific risk: agent lifecycle operations (cleanup, teardown, archival) often need to execute system commands, and those execution paths are easy to overlook during security review because they run outside the primary agent workflow. The cleanup routine is not where developers expect an attacker to land, which is precisely why it makes a compelling injection target.
Required Actions
Paperclip users should update to v2026.416.0 or later immediately. Developers building similar platforms should audit any field that eventually reaches a shell execution call, sanitize cleanupCommand and teardownCommand inputs, and replace spawn(shell, ["-c", command]) with execFile() wherever possible.