PraisonAI Platform CVE-2026-47406
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Type: Insecure Direct Object Reference. The dependency endpoints (POST/GET /workspaces/{workspace_id}/issues/{issue_id}/dependencies and DELETE .../dependencies/{dep_id}) gate access on require_workspace_member(workspace_id) only, then dispatch to DependencyService calls that take URL/body-supplied issue and dependency IDs without verifying any of them belong to the membership-checked workspace. Most damaging: create_dependency accepts body.depends_on_issue_id from the request body - that ID is checked against nothing - letting an attacker create a "blocks" or "related" link between any two issues anywhere in the database. File: src/praisonai-platform/praisonai_platform/api/routes/dependencies.py, lines 22-58; services/dependency_service.py, lines 26-65. Root cause: the same Depends(require_workspace_member) default-min-role pattern as the companion IDORs, plus a service layer (DependencyService) where every method takes raw IDs and queries them directly. create(issue_id, depends_on_issue_id, ...) writes a row with no workspace verification on either ID. list_for_issue(issue_id) returns dependencies in either direction. delete(dep_id) is a primary-key delete with no workspace predicate.
Affected Code
File 1: src/praisonai-platform/praisonai_platform/api/routes/dependencies.py, lines 22-58.
@router.post("/", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)
async def create_dependency(
workspace_id: str,
issue_id: str,
body: DependencyCreate,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = DependencyService(session)
dep = await svc.create(issue_id, body.depends_on_issue_id, body.type)
# <-- BUG: neither id is workspace-checked
return DependencyResponse.model_validate(dep)
@router.get("/", response_model=List[DependencyResponse])
async def list_dependencies(
workspace_id: str,
issue_id: str,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = DependencyService(session)
deps = await svc.list_for_issue(issue_id)
# <-- BUG: returns dependencies for any issue
return [DependencyResponse.model_validate(d) for d in deps]
@router.delete("/{dep_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_dependency(
workspace_id: str,
issue_id: str,
dep_id: str,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = DependencyService(session)
deleted = await svc.delete(dep_id)
# <-- BUG: deletes any dependency by id
if not deleted:
raise HTTPException(status_code=404, detail="Dependency not found")File 2: src/praisonai-platform/praisonai_platform/services/dependency_service.py, lines 26-65.
async def create(self, issue_id: str, depends_on_issue_id: str, dep_type: str = "blocks") -> IssueDependency:
if dep_type not in VALID_TYPES:
raise ValueError(...)
dep = IssueDependency(
issue_id=issue_id,
# <-- accepts any
depends_on_issue_id=depends_on_issue_id,
# <-- accepts any (from request body)
type=dep_type,
)
self._session.add(dep); await self._session.flush(); return dep
async def list_for_issue(self, issue_id: str) -> list[IssueDependency]:
stmt = select(IssueDependency).where(
(IssueDependency.issue_id == issue_id) | (IssueDependency.depends_on_issue_id == issue_id)
)
return list((await self._session.execute(stmt)).scalars().all())
async def delete(self, dep_id: str) -> bool:
dep = await self.get(dep_id)
# session.get(IssueDependency, dep_id) - no workspace check
...Why it's wrong: the request-body depends_on_issue_id is the worst part: an attacker can link any two issues across any two workspaces, polluting both workspaces' dependency graphs with attacker-chosen relationships ("blocks", "blocked_by", "related"). The triagers in the foreign workspace see their issue suddenly blocked by an unrelated foreign issue, breaking sprint planning and creating false correlation. The delete(dep_id) path lets an attacker remove legitimate cross-issue links between any two foreign workspaces, also disrupting their planning. The list_for_issue path leaks the dependency graph for any issue in the deployment.
Exploit Chain
- Attacker is a member of workspace
W_attackerand harvests two foreign-workspace issue UUIDsI1(inW_target1) andI2(inW_target2). They leak via the activity feed, comment threads, error messages, exported dumps, the agent prompt history, or any other channel that ever serialises an issue ID. State: attacker holds two foreign issue UUIDs. - Attacker sends
POST /workspaces/W_attacker/issues/I1/dependencieswithAuthorization: Bearer <attacker_jwt>and body{"depends_on_issue_id": "I2", "type": "blocks"}. State: control flow enterscreate_dependencywithissue_id=I1(foreign),depends_on_issue_id=I2(foreign). require_workspace_member(W_attacker, attacker)passes (attacker is a member ofW_attacker).DependencyService.create(I1, I2, "blocks")writes a new rowIssueDependency(issue_id=I1, depends_on_issue_id=I2, type="blocks"). State: there is now a cross-workspace dependency between two foreign issues, written by the attacker.- The triage UIs of
W_target1andW_target2now show that the foreign issue is blocked by an unrelated issue in another workspace. Workflow rules that key off "cannot close while blocked" will refuse to let the legitimate triagers closeI1. State: foreign workflow disrupted. - Attacker repeats with
GET /workspaces/W_attacker/issues/I1/dependenciesto read the dependency graph for any foreign issue (information disclosure, project relationship mapping), or withDELETE .../{dep_id}(after enumerating dep_ids via the list call) to strip legitimate dependencies between foreign issues, breaking blocked-by chains. - Final state: with one workspace-member token, the attacker reads, writes, and deletes dependencies on every issue in the multi-tenant deployment, polluting the dependency graphs of foreign workspaces.
Security Impact
Severity: sec-high. CVSS 7.6: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (cross-workspace dependency graph disclosure), high integrity (cross-workspace dependency injection and deletion), no availability claim (workflow disruption is integrity, not availability). Attacker capability: read any issue's dependency graph; create arbitrary "blocks" / "blocked_by" / "related" links between any two issues across any two workspaces; delete any dependency by id. The most surprising primitive is the cross-workspace LINKING - the only one of the IDORs in this codebase where a single attacker request can affect TWO foreign workspaces at once. Preconditions: praisonai-platform is deployed multi-tenant; attacker has any membership token; foreign issue UUIDs are reachable. Differential: source-inspection-verified end-to-end. The asymmetry between this service (no workspace predicate anywhere) and MemberService.get(workspace_id, user_id) (correctly composite-keyed) confirms the gap. With the suggested fix below, the route would resolve both the URL issue_id and the body depends_on_issue_id against IssueService.get(workspace_id, ...) before allowing the dependency to be written.
Suggested Fix
Resolve every issue id (URL and body) against workspace_id at the route layer before dispatching. The route helper from the issue-IDOR companion advisory can be reused.
--- a/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py
@@ -22,11 +22,16 @@
@router.post("/", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)
async def create_dependency(
workspace_id: str,
issue_id: str,
body: DependencyCreate,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
+ issue_svc = IssueService(session)
+ if await issue_svc.get(workspace_id, issue_id) is None:
+ raise HTTPException(status_code=404, detail="Issue not found")
+ if await issue_svc.get(workspace_id, body.depends_on_issue_id) is None:
+ raise HTTPException(status_code=404, detail="depends_on_issue_id not found in this workspace")
svc = DependencyService(session)
dep = await svc.create(issue_id, body.depends_on_issue_id, body.type)
return DependencyResponse.model_validate(dep)Apply the same issue_svc.get(workspace_id, issue_id) precondition to list_dependencies and delete_dependency (verifying both the issue and the dependency belong to workspace_id).
AnalysisAI
Cross-workspace Insecure Direct Object Reference in praisonai-platform (<=0.1.2) allows any authenticated workspace member to read, create, and delete issue dependencies belonging to foreign workspaces by supplying arbitrary issue UUIDs in URL paths and request bodies. The dependency endpoints only enforce membership on the URL workspace_id while passing unvalidated issue and dependency identifiers to DependencyService, enabling cross-tenant linking of issues across any two workspaces in the deployment. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4x6r-9v57-3gqw confirms the flaw and a fixed version (0.1.4) is available.
Technical ContextAI
PraisonAI Platform is a Python (FastAPI/SQLAlchemy async) multi-tenant collaboration backend distributed via PyPI as praisonai-platform (pkg:pip/praisonai-platform). The vulnerability is CWE-639 (Authorization Bypass Through User-Controlled Key): the FastAPI route handlers in api/routes/dependencies.py use a Depends(require_workspace_member) guard that only validates the caller's membership in the workspace_id path parameter, then forward URL- and body-supplied issue_id, depends_on_issue_id, and dep_id values directly into DependencyService methods. The service layer (services/dependency_service.py lines 26-65) performs primary-key SQL operations (session.get and select(IssueDependency)) without composite predicates that include workspace_id, in contrast to the codebase's correctly composite-keyed MemberService.get(workspace_id, user_id). This is a classic IDOR pattern where the authorization decision is decoupled from the object being acted upon.
RemediationAI
Vendor-released patch: upgrade praisonai-platform to 0.1.4 or later from PyPI (pip install --upgrade 'praisonai-platform>=0.1.4'), per GHSA-4x6r-9v57-3gqw (https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4x6r-9v57-3gqw). The fix resolves every URL and body-supplied issue_id and depends_on_issue_id against the membership-checked workspace_id via IssueService.get(workspace_id, ...) before dispatch, and applies the same precondition to list_dependencies and delete_dependency. If immediate upgrade is not feasible, compensating controls include disabling the /workspaces/{workspace_id}/issues/{issue_id}/dependencies routes at a reverse proxy (side effect: breaks legitimate dependency management for all tenants), restricting platform access to a single trusted tenant until patched (side effect: defeats multi-tenancy), and auditing the IssueDependency table for cross-workspace rows (join issue_id and depends_on_issue_id against Issue.workspace_id and alert on mismatches) to detect prior exploitation. Avoid relying on UUID unguessability alone - leakage channels listed in the advisory (activity feeds, comments, exports, agent prompt history) make this unreliable.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4x6r-9v57-3gqw