How should we interpret CVSS severity scores?

CVSS estimates technical severity, but it does not automatically equal business risk. Prioritize using context like internet exposure, asset criticality, known exploitation, and whether compensating controls exist. A Medium CVSS on an exposed production system can be more urgent than a Critical on an isolated non-production host.

Vulnerability Database

Q: What is a Vulnerability (CVE) and why does it matter?

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

Q: What's the difference between a vulnerability, an exploit, and a zero-day?

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. Risk increases sharply when exploitation becomes reliable or widespread.

Q: Why do vulnerabilities keep reappearing in our environment?

Recurring findings usually come from incomplete asset discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host.

Q: How do we prioritize remediation without burning out the team?

Use a repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress so remediation is steady, not reactive.

Q: How can SynScan help reduce vulnerability risk over time?

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.

346,508

Total vulnerabilities in the database

Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution — @paperclipai / server

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Summary

Paperclip contains a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The vulnerability occurs because agents are allowed to update their own adapterConfig via the /agents/:id API endpoint. The configuration field adapterConfig.workspaceStrategy.provisionCommand is later executed by the server runtime using:

spawn(&quot;/bin/sh&quot;, [&quot;-c&quot;, command])

As a result, an attacker controlling an agent credential can inject arbitrary shell commands which are executed by the Paperclip server during workspace provisioning. This breaks the intended trust boundary between agent runtime configuration and server host execution, allowing a compromised or malicious agent to escalate privileges and run commands on the host system. This vulnerability allows remote code execution on the server host.

Details

Rootcause

Agent configuration can be modified through the API endpoint:

PATCH /api/agents/:id

The validation schema allows arbitrary configuration fields:

adapterConfig: z.record(z.unknown())

This allows attackers to inject arbitrary keys into the adapter configuration object. Later, during workspace provisioning, the server runtime executes a shell command derived directly from this configuration. Relevant code path:

server/src/services/workspace-runtime.ts

adapterConfig.workspaceStrategy.provisionCommand
        ↓
provisionExecutionWorktree()
        ↓
runWorkspaceCommand(...)
        ↓
spawn(&quot;/bin/sh&quot;, [&quot;-c&quot;, input.command])

Example logic:

const provisionCommand = asString(input.strategy.provisionCommand, &quot;&quot;).trim()

await runWorkspaceCommand({
  command: provisionCommand
})

Inside runWorkspaceCommand the command is executed using:

spawn(shell, [&quot;-c&quot;, input.command])

Because no validation, escaping, or allowlist is applied, attacker-controlled configuration becomes a direct OS command execution primitive.

Affected Files

server/src/services/workspace-runtime.ts

Functions involved:

realizeExecutionWorkspace()
provisionExecutionWorktree()
runWorkspaceCommand()

Attacker Model

Required privileges: Attacker needs:

Agent API key

This credential is intended for agent automation and should not grant host-level execution privileges. Agent credentials may also be exposed to external runtimes, plugins, or third-party agent providers. Allowing such credentials to configure host-executed commands creates a privilege escalation vector. No board or administrator access is required.

Attacker Chain

Complete exploit chain:

Attacker obtains Agent API key
        ↓
PATCH /api/agents/:id
        ↓
Inject adapterConfig.workspaceStrategy.provisionCommand
        ↓
POST /api/agents/:id/wakeup
        ↓
Server executes workspace provisioning
        ↓
workspace-runtime.ts
        ↓
spawn(&quot;/bin/sh -c&quot;)
        ↓
Arbitrary command execution on server host

Trust Boundary Violation

Paperclip’s architecture assumes the following separation:

Agent runtime
        ↓
Paperclip control plane
        ↓
Server host OS

Agents should only perform workflow automation tasks through the orchestration layer.

However, because agent-controlled configuration is executed directly by the server runtime, the boundary collapses:

Agent configuration
        ↓
Server command execution

This allows an agent to execute commands outside its intended permissions.

Why This Is a Vulnerability (Not Expected Behavior)

The provisionCommand field appears intended for trusted operators configuring workspace strategies. However, the current API design allows agents themselves to modify this configuration. Because agent credentials are designed for automation and may be exposed to agent runtimes, plugins, or external providers, allowing them to configure commands executed by the host introduces a privilege escalation vector. Therefore:

Operator-controlled configuration → expected feature
Agent-controlled configuration → privilege escalation vulnerability

The vulnerability arises from insufficient separation between configuration authority and execution authority.

PoC

The following PoC demonstrates safe command execution by writing a marker file on the server. The PoC does not modify system state beyond creating a file.

Step 1 — Setup Environment

Run Server:

$env:SHELL = &quot;C:\Program Files\Git\bin\sh.exe&quot;
npx paperclipai onboard --yes

claude
/login

Step 2 — Obtain Agent API key

Create an agent via the UI or CLI and obtain its API key. Example:

pcp_xxxxxxxxxxxxxxxxxxxxx

Step 3 — Identify agent ID

GET /api/agents/me

Step 4 — Inject malicious configuration

PATCH /api/agents/{agentId}

<img width="1476" height="697" alt="image" src="https://github.com/user-attachments/assets/612f7a16-b6d6-418e-bcbe-ce602b711b14" /> Payload:

PS E:\BucVe\pocrepo&gt; $patchBody = @{
&gt;&gt;   adapterConfig = @{
&gt;&gt;     workspaceStrategy = @{
&gt;&gt;       type = &quot;git_worktree&quot;
&gt;&gt;       provisionCommand = &quot;echo PAPERCLIP_RCE &gt; poc_rce.txt&quot;
&gt;&gt;     }
&gt;&gt;   }
&gt;&gt; } | ConvertTo-Json -Depth 10

Step 5 — Trigger execution

POST /api/agents/{agentId}/wakeup

Step 6 — Verify command execution

<img width="1231" height="347" alt="image" src="https://github.com/user-attachments/assets/559c483b-077e-42dd-9309-6a5e5c6a3bdc" /> The marker file appears on the server filesystem:

~/.paperclip/worktrees/.../poc_rce.txt

Example content:

PAPERCLIP_RCE

This confirms that attacker-controlled commands executed on the server.

Impact

Successful exploitation allows:

Remote command execution on the Paperclip server

Potential attacker actions:

read environment variables
exfiltrate secrets
modify repositories
access database credentials
execute reverse shells
persist on host

Because Paperclip orchestrates multiple agents and repositories, this can lead to full compromise of the deployment environment. This effectively allows a malicious agent to escape the orchestration layer and execute arbitrary commands on the server host.

Recommended Fix

Restrict configuration authority Agents should not be able to modify execution-sensitive configuration fields. Example mitigation:

deny adapterConfig.workspaceStrategy modification from agent credentials

Server-side allowlist Only allow trusted configuration keys. Example:

adapterConfig.workspaceStrategy.provisionCommand

should only be configurable by board/admin actors.

Avoid shell execution Instead of:

spawn(&quot;/bin/sh&quot;, [&quot;-c&quot;, command])

prefer:

spawn(binary, args)

or a restricted command runner.

Input validation Reject commands containing shell operators:

|
&amp;
;
$
`

Sandboxed workspace execution Workspace provisioning should run in a restricted environment (container / sandbox).

Minimal Patch Suggestion

One possible mitigation is to prevent agent principals from modifying execution-sensitive configuration fields such as workspaceStrategy.provisionCommand. For example, during agent configuration updates, the server can explicitly reject this field when the request is authenticated using an Agent API key. Example TypeScript guard:

// reject agent-controlled provisionCommand
if (
  request.auth?.principal === &quot;agent&quot; &amp;&amp;
  body?.adapterConfig?.workspaceStrategy?.provisionCommand
) {
  throw new Error(
    &quot;Agents are not permitted to configure workspaceStrategy.provisionCommand&quot;
  );
}

Additionally, the server should avoid executing arbitrary shell commands derived from configuration values. Instead of executing:

spawn(&quot;/bin/sh&quot;, [&quot;-c&quot;, command])

prefer structured execution:

spawn(binary, args)

or restrict the command to a predefined allowlist.

Security Impact Statement

An authenticated attacker with an Agent API key can modify their agent configuration to inject arbitrary shell commands into workspaceStrategy.provisionCommand. These commands are executed by the Paperclip server during workspace provisioning via spawn("/bin/sh", ["-c", command]), resulting in arbitrary command execution on the host system.

Disclosure

This vulnerability was discovered during security research on the Paperclip orchestration runtime. The issue is reported privately to allow maintainers to patch before public disclosure.

Published: Apr 16, 2026
Updated: Apr 17, 2026
GHSA: GHSA-265w-rf2w-cjh4
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
@paperclipai / server	-	2026.416.0

https://github.com/paperclipai/paperclip/security/advisories/GHSA-265w-rf2w-cjh4

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo

Frequently Asked Questions

What is a Vulnerability (CVE) and why does it matter?

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.