A critical remote code execution vulnerability in Paperclip allows unauthenticated attackers to gain full system control without user interaction.

This is a remote code execution (RCE) vulnerability stemming from a chain of six API calls that can be exploited by an unauthenticated attacker to execute arbitrary code on instances running in default configurations.

Successful exploitation grants an attacker full remote control over the affected server. This facilitates complete data exfiltration, total system compromise, and the potential for lateral movement across the network. Given the CVSS score of 10.0, this represents the highest level of risk to operational integrity and data confidentiality.

Immediate Action: Upgrade all Paperclip instances to version 2026.416.0 or later immediately.

Proactive Monitoring: Review API access logs for sequences of six consecutive, unauthorized requests targeting internal orchestration endpoints.

Compensating Controls: Restrict network access to the Paperclip management interface using IP allowlisting or VPN-only access until the patch is applied.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated. Organizations must prioritize the deployment of the 2026.416.0 update across all production environments. Failure to patch leaves the system exposed to trivial, automated exploitation by unauthenticated actors.