10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-47wq-cj9q-wpmp

GHSA-47wq-cj9q-wpmp: Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys

Isolated paperclip instance running in authenticated mode (default config) on a clean Docker image matching commit b649bd4 (2026.411.0-canary.8, post the 2026.410.0 patch). This advisory was verified on an unmodified build.

Summary

POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId (server/src/routes/agents.ts lines 2050-2087) only call assertBoard to authorize the caller. They never call assertCompanyAccess and never verify that the caller is a member of the company that owns the target agent.

Any authenticated board user (including a freshly signed-up account with zero company memberships and no instance_admin role) can mint a plaintext pcp_* agent API token for any agent in any company on the instance. The minted token is bound to the victim agent's companyId server-side, so every downstream assertCompanyAccess check on that token authorizes operations inside the victim tenant.

This is a pure authorization bypass on the core tenancy boundary. It is distinct from GHSA-68qg-g8mg-6pr7 (the unauth import → RCE chain disclosed in 2026.410.0): that advisory fixed one handler, this report is a different handler with the same class of mistake that the 2026.410.0 patch did not cover.

Root Cause

server/src/routes/agents.ts, lines 2050-2087:

router.get("/agents/:id/keys", async (req, res) => {
  assertBoard(req);                             // <-- no assertCompanyAccess
  const id = req.params.id as string;
  const keys = await svc.listKeys(id);
  res.json(keys);
});

router.post("/agents/:id/keys", validate(createAgentKeySchema), async (req, res) => {
  assertBoard(req);                             // <-- no assertCompanyAccess
  const id = req.params.id as string;
  const key = await svc.createApiKey(id, req.body.name);
  ...
  res.status(201).json(key);                    // returns plaintext `token`
});

router.delete("/agents/:id/keys/:keyId", async (req, res) => {
  assertBoard(req);                             // <-- no assertCompanyAccess
  const keyId = req.params.keyId as string;
  const revoked = await svc.revokeKey(keyId);
  ...
});

<img width="5429" height="1448" alt="02-signup" src="https://github.com/user-attachments/assets/4c2b2939-326b-4e0d-aa01-05e22851486b" /> > Step 1-2: Mallory signs up via the default `/api/auth/sign-up/email` flow > (no invite, no verification) and confirms via `GET /api/companies` that she > is a member of zero companies. She has no tenant access through the normal > authorization path. <img width="2891" height="1697" alt="03-exploit" src="https://github.com/user-attachments/assets/c097e861-6bc9-4f6a-841c-b45501e27849" /> > Step 3 — the vulnerability. Mallory POSTs to `/api/agents/:id/keys` > targeting an agent in Victim Corp (a company she is NOT a member of). The > server returns a plaintext `pcp_*` token tied to the victim's `companyId`. > There is no authorization error. `assertBoard` passed because Mallory is a > board user; `assertCompanyAccess` was never called. <img width="2983" height="2009" alt="04-exfil" src="https://github.com/user-attachments/assets/ede5d469-4119-432c-b0ae-5a4fabc9a56b" /> > Step 4-5: Use the stolen token as a Bearer credential. `actorMiddleware` > resolves it to `actor = { type: "agent", companyId: VICTIM }`, so every > downstream `assertCompanyAccess` gate authorizes reads against Victim Corp. > Mallory can now enumerate the victim's company metadata, issues, approvals, > and agent configuration — none of which she had access to 30 seconds ago.

Miggo Vulnerability Database

→

GHSA-47wq-cj9q-wpmp

GHSA-47wq-cj9q-wpmp:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@paperclipai/server	npm	< 2026.416.0	2026.416.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic Broken Access Control issue (CWE-862: Missing Authorization). Multiple API endpoints in server/src/routes/agents.ts that manage agents and their API keys failed to perform a critical authorization check. The code only verified that a request came from an authenticated user (via assertBoard) but did not verify that the user belonged to the same company as the agent they were attempting to manage (which should be done by assertCompanyAccess).

This allowed any authenticated user, even a newly registered one with no permissions or company affiliations, to perform sensitive actions on any agent in any company on the platform. The most critical impact comes from the POST /api/agents/:id/keys endpoint, which allowed an attacker to mint a new, valid API token for an agent in a victim's company. This token would then grant the attacker access to the victim company's data and resources, leading to a full cross-tenant information disclosure and integrity compromise.

Other affected endpoints for agent lifecycle management (/pause, /resume, /terminate, /delete) allowed for a denial-of-service attack against any agent on the instance.

The analysis of the patch commit 32a9165ddf6308f3b46eae0653b6f583e502e538 confirms this. The addition of the test file server/src/__tests__/agent-cross-tenant-authz-routes.test.ts provides clear evidence of the fix. This file contains specific tests to ensure that cross-tenant requests to the vulnerable endpoints are rejected, confirming that the missing assertCompanyAccess checks were added. The vulnerable functions are the anonymous Express route handlers for the affected API paths, as well as the service function agents.createApiKey which is instrumental in the exploit.

Vulnerable functions

router.get("/agents/:id/keys")

server/src/routes/agents.ts

This function, which handles GET requests to `/api/agents/:id/keys`, only checked if a user was authenticated (`assertBoard`) but failed to verify if the user belonged to the company that owned the agent. This allowed any authenticated user on the platform to list the API keys of any agent in any company, leading to a cross-tenant information disclosure vulnerability.

router.post("/agents/:id/keys")

server/src/routes/agents.ts

This function, which handles POST requests to `/api/agents/:id/keys`, was the most critical part of the vulnerability. It allowed any authenticated user to mint a new API token for any agent in any company. The function only performed an authentication check (`assertBoard`) without an authorization check (`assertCompanyAccess`), enabling a complete bypass of the tenancy model.

router.delete("/agents/:id/keys/:keyId")

server/src/routes/agents.ts

This function, which handles DELETE requests to `/api/agents/:id/keys/:keyId`, only checked for user authentication (`assertBoard`) and not for company membership. This allowed any authenticated user to revoke/delete the API keys of any agent in any company, potentially causing a denial of service.

router.post("/agents/:id/pause")

server/src/routes/agents.ts

This function, handling agent pausing, was vulnerable due to a missing `assertCompanyAccess` check. It allowed any authenticated user to pause any agent in any company, leading to a cross-tenant denial of service.

router.post("/agents/:id/resume")

server/src/routes/agents.ts

This function, handling agent resuming, was vulnerable due to a missing `assertCompanyAccess` check. It allowed any authenticated user to resume any agent in any company, enabling unauthorized cross-tenant actions.

router.post("/agents/:id/terminate")

server/src/routes/agents.ts

This function, handling agent termination, was vulnerable due to a missing `assertCompanyAccess` check. It allowed any authenticated user to terminate any agent in any company, leading to a cross-tenant denial of service.

router.delete("/agents/:id")

server/src/routes/agents.ts

This function, handling agent deletion, was vulnerable due to a missing `assertCompanyAccess` check. It allowed any authenticated user to delete any agent in any company, leading to a severe cross-tenant availability and integrity impact.

agents.createApiKey

server/src/services/agents.ts

While the primary vulnerability was the missing authorization check in the route handler, this service function is a key part of the exploit chain. It is called by the vulnerable `POST /api/agents/:id/keys` endpoint and is responsible for creating the API token. Crucially, it associates the new token with the victim agent's `companyId`, which is what allows the attacker's token to gain access to the victim's tenant. This function would appear in a runtime profile during exploitation.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.