GHSA-xfqj-r5qw-8g4j: Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode

April 16, 2026

Several API endpoints in authenticated mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed.

Verified against the latest version.

Discord: sagi03581

References

github.com/advisories/GHSA-xfqj-r5qw-8g4j
github.com/paperclipai/paperclip
github.com/paperclipai/paperclip/security/advisories/GHSA-xfqj-r5qw-8g4j

Code Behaviors & Features

Detect and mitigate GHSA-xfqj-r5qw-8g4j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →