Intelligence
criticalVulnerabilityActive

Cross-Tenant Agent API Token Minting via Missing Authorization Checks

Paperclip's `/api/agents/:id/keys` endpoints fail to validate tenant ownership, allowing any authenticated user to mint valid API tokens for agents in other companies. This bypasses the core multi-tenant security boundary.

S
Sebastion

CVE References

GHSA-47wq-cj9q-wpmp

Affected

Paperclip≤2026.410.0

Vulnerability Description

The vulnerability is a missing authorization check (CWE-639: Authorization Failure) on three agent key management endpoints in server/src/routes/agents.ts (lines 2050-2087). These endpoints call assertBoard but omit the required assertCompanyAccess validation, allowing unauthenticated-to-the-victim-tenant users to mint plaintext pcp_* API tokens bound to arbitrary agents. The generated tokens inherit the victim agent's companyId, making all downstream authorization checks authorize cross-tenant operations.

Proof-of-Concept Significance

This PoC demonstrates a repeatable authorization bypass on the instance's tenancy boundary. It requires only valid authentication (even a zero-privilege account works) and proves the vulnerability is reliable and exploitable without additional preconditions. The PoC validates that the minted token functions with full agent permissions inside the victim tenant, confirming the severity. This is particularly critical because it's a distinct regression from the GHSA-68qg-g8mg-6pr7 patch—indicating the same authorization pattern was incompletely patched across multiple handlers.

Detection Guidance

Log Indicators:

  • Spike in POST /api/agents/:id/keys requests from a single authenticated user across multiple agents owned by different companies
  • Requests to agent key endpoints from users with no recorded company membership
  • Successful token generation (2xx responses) followed immediately by operations on agents in unexpected companyId contexts
  • Audit logs showing agent API key creation without corresponding company access grants

Monitoring: Alert on any POST /api/agents/*/keys or DELETE /api/agents/*/keys/* from users not in the target agent's company; correlate with subsequent API usage of the minted token.

Mitigation Steps

  1. Immediate: Patch all three endpoints (POST, GET, DELETE /api/agents/:id/keys) to call assertCompanyAccess(req, agent.companyId) before any key operations
  2. Validation: Audit all authorization-gated endpoints in agents.ts for similar assertBoard-only patterns; this indicates incomplete patching from the prior CVE
  3. Revocation: Issue guidance to revoke all agent API tokens minted during the vulnerable window; implement token rotation policies
  4. Testing: Add integration tests verifying that unauthenticated-to-tenant users receive 403 Forbidden on all agent key endpoints

Risk Assessment

Likelihood of Exploitation: Very High—the vulnerability requires only valid user credentials (trivial for insider threats or account takeover) and produces immediately usable cross-tenant access tokens. No custom exploitation code is needed; standard REST clients suffice. Threat actors with any valid instance account can laterally move between all tenant organizations.

Threat Actor Interest: Critical. This is a pure tenancy bypass that enables wholesale customer data exfiltration, lateral movement, and privilege escalation within a SaaS instance. The low barrier to exploitation and high impact make this a priority target for APTs and extortion-focused actors.

Sources

pocauthorization-bypassmulti-tenantapi-securitytoken-mintingtenancy-boundary
Back to intelligence