Insufficient Granularity of Access Control Affecting @paperclipai/ui package, versions <2026.416.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-PAPERCLIPAIUI-16421512
- published5 May 2026
- disclosed16 Apr 2026
- creditPeak Twilight
Introduced: 16 Apr 2026
New CVE NOT AVAILABLE CWE-1220 (opens in a new tab)How to fix?
Upgrade @paperclipai/ui to version 2026.416.0 or higher.
Overview
@paperclipai/ui is a Prebuilt Paperclip board UI assets.
Affected versions of this package are vulnerable to Insufficient Granularity of Access Control inadequate authorization checks in the POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId routes. An attacker can gain unauthorized access to sensitive data and perform privileged actions across tenant boundaries by minting agent API tokens for agents belonging to other companies, then using those tokens to access or modify resources in the victim tenant.
Note: This is only exploitable if the application is running in authenticated mode with open signup enabled and at least one other company with agents exists on the instance.