PT-2026-34622 · Paperclip · Paperclip

Sagilayani

Published

2026-04-10

Updated

2026-04-28

CVE-2026-41679

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Paperclip versions prior to 2026.416.0

Description An unauthenticated attacker can achieve full remote code execution on any network-accessible instance running in authenticated mode with default configuration. The issue involves an import authorization bypass that allows a chain of six API calls to grant full control over the server operating system. The attack is fully automated and requires no user interaction or credentials.

Recommendations Update to version 2026.416.0.

Exploit

Fix

RCE

Missing Authorization

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-287CWE-1188

Related Identifiers

CVE-2026-41679

GHSA-68QG-G8MG-6PR7

Affected Products

Paperclip

PT-2026-34622 · Paperclip · Paperclip

CVE-2026-41679

Weakness Enumeration

Related Identifiers

Affected Products

References · 12