Insufficient Granularity of Access Control Affecting @paperclipai/server package, versions <2026.416.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-PAPERCLIPAISERVER-16421511
- published5 May 2026
- disclosed16 Apr 2026
- creditPeak Twilight
Introduced: 16 Apr 2026
New CVE NOT AVAILABLE CWE-1220 (opens in a new tab)How to fix?
Upgrade @paperclipai/server to version 2026.416.0 or higher.
Overview
Affected versions of this package are vulnerable to Insufficient Granularity of Access Control inadequate authorization checks in the POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId routes. An attacker can gain unauthorized access to sensitive data and perform privileged actions across tenant boundaries by minting agent API tokens for agents belonging to other companies, then using those tokens to access or modify resources in the victim tenant.
Note: This is only exploitable if the application is running in authenticated mode with open signup enabled and at least one other company with agents exists on the instance.