{"url":"http://public2.vulnerablecode.io/api/packages/1003366?format=json","purl":"pkg:npm/paperclipai@2026.319.0-canary.3","type":"npm","namespace":"","name":"paperclipai","version":"2026.319.0-canary.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359818?format=json","vulnerability_id":"VCID-fwnj-9nrb-fkhr","summary":"Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email\n### Summary\n\nA Paperclip-managed `codex_local` runtime was able to access and use a Gmail connector that I had connected in the ChatGPT/OpenAI apps UI, even though I had not explicitly connected Gmail inside Paperclip or separately inside Codex.\n\nIn my environment this enabled mailbox access and a real outbound email to be sent from my Gmail account. After I manually intervened to stop the workflow, follow-up retraction messages were also sent, confirming repeated outward write/send capability.\n\nThis appears to be a trust-boundary failure between Paperclip-managed Codex execution and inherited OpenAI app connectors, amplified by dangerous-by-default runtime settings.\n\n### Details\n\nSuccessful runtime calls include:\n\n- `mcp__codex_apps__gmail_get_profile`\n- `mcp__codex_apps__gmail_search_emails`\n- `mcp__codex_apps__gmail_send_email`\n\nThe connected Gmail profile resolved to my personal account.\n\nInside the Paperclip-managed `codex-home`, I also found cached OpenAI curated connector state for Gmail under a path like:\n\n- `codex-home/plugins/cache/openai-curated/gmail/.../.app.json`\n\nThis strongly suggests that the runtime had access to an already connected OpenAI apps surface rather than a Paperclip-specific Gmail integration that I intentionally configured.\n\nSeparately, in the installed Paperclip code, `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, and the server-side agent creation path applies that default when the flag is omitted. In practice, that makes this boundary failure much more dangerous because a newly created `codex_local` agent can operate with approvals and sandbox bypassed by default.\n\nThe key issue is this: I had connected Gmail only in the ChatGPT/OpenAI apps UI. I had not intentionally connected Gmail inside Paperclip or separately inside Codex. Despite that, the Paperclip-managed `codex_local` runtime was able to use Gmail read/write actions.\n\n### PoC\n\nEnvironment:\n\n- self-hosted Paperclip instance using `codex_local`\n- Gmail connected in the ChatGPT/OpenAI apps UI\n- no explicit Gmail connection configured inside Paperclip for this test\n- `codex_local` agent created and run with default behavior\n\nObserved reproduction path:\n\n1. Connect Gmail in the ChatGPT/OpenAI apps UI.\n2. Create or run a Paperclip `codex_local` agent.\n3. Execute a task that inspects mailbox state or performs outward communication.\n4. Observe successful Gmail connector calls such as:\n   - `mcp__codex_apps__gmail_get_profile`\n   - `mcp__codex_apps__gmail_search_emails`\n   - `mcp__codex_apps__gmail_send_email`\n5. Observe that the connected profile resolves to the ChatGPT/OpenAI-connected Gmail account and that mailbox reads and real sends are possible.\n\nPrivate evidence available on request:\n\n- successful `get_profile` / `search` / `send` logs\n- Paperclip-managed `codex-home` Gmail connector cache path(s)\n- screenshot showing Gmail write-capable actions such as `send_email`, `send_draft`, and `update_draft` exposed in the connected-app UI\n- incident timeline showing that a real outbound email was sent\n- recipient organizations, timestamps, message IDs, and sanitized evidence for both the original outbound email and the subsequent retraction messages\n\n### Impact\n\nThis was not only theoretical in my environment. It resulted in:\n\n- mailbox identity disclosure\n- mailbox search / thread access\n- a real outbound email being sent from a personal connected Gmail account to an external third party\n- follow-up retraction messages being sent after manual intervention, confirming repeated outward write/send capability\n\nFrom an operator/security perspective, connecting Gmail in the ChatGPT/OpenAI apps UI should not automatically make that connector available to a Paperclip-managed local agent runtime, especially not for write/send actions.\n\nOne or more of the following:\n\n- no inherited OpenAI app connectors by default in Paperclip-managed `codex_local` runs\n- send/write connectors blocked by default\n- explicit Paperclip-side opt-in before outward actions\n- auditable approval and provenance for connector-mediated actions\n- safer defaults, including `dangerouslyBypassApprovalsAndSandbox = false`","references":[{"reference_url":"https://github.com/paperclipai/paperclip","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/paperclipai/paperclip"},{"reference_url":"https://github.com/paperclipai/paperclip/security/advisories/GHSA-gqqj-85qm-8qhf","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/paperclipai/paperclip/security/advisories/GHSA-gqqj-85qm-8qhf"},{"reference_url":"https://github.com/advisories/GHSA-gqqj-85qm-8qhf","reference_id":"GHSA-gqqj-85qm-8qhf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqqj-85qm-8qhf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1003458?format=json","purl":"pkg:npm/paperclipai@2026.404.0-canary.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nfjc-vj1c-sqbb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/paperclipai@2026.404.0-canary.0"}],"aliases":["GHSA-gqqj-85qm-8qhf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fwnj-9nrb-fkhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80689?format=json","vulnerability_id":"VCID-nfjc-vj1c-sqbb","summary":"Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The chain consists of six API calls. The attack is fully automated, requires no user interaction, and works against the default deployment configuration. Version 2026.416.0 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41679","reference_id":"","reference_type":"","scores":[{"value":"0.00774","scoring_system":"epss","scoring_elements":"0.74041","published_at":"2026-06-11T12:55:00Z"},{"value":"0.66423","scoring_system":"epss","scoring_elements":"0.98559","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41679"},{"reference_url":"https://github.com/paperclipai/paperclip","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/paperclipai/paperclip"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41679","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41679"},{"reference_url":"https://github.com/advisories/GHSA-68qg-g8mg-6pr7","reference_id":"GHSA-68qg-g8mg-6pr7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68qg-g8mg-6pr7"},{"reference_url":"https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7","reference_id":"GHSA-68qg-g8mg-6pr7","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:39:48Z/"}],"url":"https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373725?format=json","purl":"pkg:npm/paperclipai@2026.410.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/paperclipai@2026.410.0"}],"aliases":["CVE-2026-41679","GHSA-68qg-g8mg-6pr7"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nfjc-vj1c-sqbb"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/paperclipai@2026.319.0-canary.3"}