Skip to main content

praisonai-platform CVE-2026-47411

MEDIUM
Improper Privilege Management (CWE-269)
2026-06-01 https://github.com/MervinPraison/PraisonAI GHSA-rcmc-q9rj-4wmq
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 01, 2026 - 14:54 vuln.today
Analysis Generated
Jun 01, 2026 - 14:54 vuln.today

DescriptionGitHub Advisory

Summary

Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/{workspace_id} endpoint is gated only by require_workspace_member(workspace_id) (default min_role="member"). Any member can rewrite the workspace's name, description, and the settings JSON blob. The settings field is a free-form JSON object - depending on which downstream code reads it, this becomes a configuration-injection primitive for any setting the platform exposes there. File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 63-74; services/workspace_service.py's update() method. Root cause: Depends(require_workspace_member) resolves to default min_role="member". WorkspaceService.update(workspace_id, name, description, settings) writes the new fields to the workspace row without any caller-permission check. The role hierarchy (MemberService.has_role) is never consulted.

Affected Code

File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 63-74.

python
@router.patch("/{workspace_id}", response_model=WorkspaceResponse)
async def update_workspace(
    workspace_id: str,
    body: WorkspaceUpdate,
    user: AuthIdentity = Depends(require_workspace_member),
# <-- BUG: defaults to min_role="member"
    session: AsyncSession = Depends(get_db),
):
    ws_svc = WorkspaceService(session)
    ws = await ws_svc.update(workspace_id, body.name, body.description, body.settings)
# <-- writes any value
    if ws is None:
        raise HTTPException(status_code=404, detail="Workspace not found")
    return WorkspaceResponse.model_validate(ws)

Why it's wrong: workspace name and settings are owner-tier fields. Renaming the workspace to a profanity is a low-impact griefing vector; rewriting the JSON settings blob is potentially a much higher-impact configuration injection (depending on what fields downstream code reads from settings, the attacker may flip feature flags, redirect webhook URLs, change LLM provider keys for shared configs, disable audit logging, etc.). The require_workspace_member(min_role) parameter is implemented and unused. This endpoint should require owner.

Exploit Chain

  1. Attacker is a member of workspace W with role "member". State: attacker holds JWT.
  2. Attacker sends PATCH /workspaces/W with Authorization: Bearer <attacker_jwt> and body {"name": "Compromised", "description": "Owned by attacker", "settings": {"allow_public_invite": true, "ai_provider_url": "https://attacker.example/v1"}}. State: control flow enters update_workspace.
  3. require_workspace_member(W, attacker) passes. WorkspaceService.update(W, ...) writes the three fields. State: workspace W now has attacker-chosen name, description, and settings.
  4. The settings JSON is read by any downstream code that consults workspace settings (LLM proxying, invite flows, webhook routing). If the deployment uses settings-keyed configuration overrides, those overrides now point at attacker-controlled endpoints.
  5. Final state: with one member-level token plus one PATCH, the attacker rewrites the workspace's metadata and settings, with effects ranging from cosmetic (rename) to substantive (settings-keyed config injection).

Security Impact

Severity: sec-moderate. CVSS 6.5: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality directly (though settings rewrites may enable indirect data exfiltration via attacker-pointed integration URLs), high integrity, no availability claim. Attacker capability: rewrite any workspace's name, description, and settings JSON. The actual blast radius depends on what fields the deployment reads from settings - but that field is documented as a free-form JSON blob, so any future configuration the platform adds there becomes attacker-tunable. Preconditions: praisonai-platform is deployed multi-tenant; attacker has any membership token in the target workspace. Differential: source-inspection-verified. With the suggested fix below, member-tier tokens fail the gate and the metadata rewrite is rejected with 403.

Suggested Fix

diff
--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
@@ -63,11 +63,11 @@
 @router.patch("/{workspace_id}", response_model=WorkspaceResponse)
 async def update_workspace(
     workspace_id: str,
     body: WorkspaceUpdate,
-    user: AuthIdentity = Depends(require_workspace_member),
+    user: AuthIdentity = Depends(_require_workspace_owner),
# see member-update-role advisory for helper
     session: AsyncSession = Depends(get_db),
 ):
     ws_svc = WorkspaceService(session)
     ws = await ws_svc.update(workspace_id, body.name, body.description, body.settings)
     if ws is None:
         raise HTTPException(status_code=404, detail="Workspace not found")
     return WorkspaceResponse.model_validate(ws)

Defence-in-depth: validate the keys allowed in body.settings against an allowlist so the field cannot become an arbitrary config-injection primitive even for owners. The four companion workspace-mutation endpoints (add_member, update_member_role, remove_member, delete_workspace) exhibit the same default-min-role gap and are filed as their own advisories.

AnalysisAI

{workspace_id} endpoint. The CVSS vector (PR:L/AC:L/AV:N/UI:N/I:H) confirms this is a low-complexity network attack requiring only member-tier credentials, and the integrity impact is rated High because the settings field can be used as a configuration-injection primitive - redirecting LLM provider URLs, webhook endpoints, or invite flows to attacker-controlled infrastructure. No public exploit identified at time of analysis, though the exploit chain is trivially reproducible from the published GitHub Security Advisory GHSA-rcmc-q9rj-4wmq.

Technical ContextAI

The affected package is praisonai-platform (PyPI: pip/praisonai-platform), a Python-based multi-tenant AI orchestration platform built on FastAPI. The vulnerable route is defined in src/praisonai-platform/praisonai_platform/api/routes/workspaces.py (lines 63-74) and uses a FastAPI dependency injection pattern: Depends(require_workspace_member) with its default min_role='member'. This guard authenticates the caller as a workspace member but never invokes the role hierarchy enforced by MemberService.has_role, so owner-tier operations are reachable from member-tier tokens. The WorkspaceService.update() method writes the caller-supplied name, description, and settings values directly to the workspace database row without a secondary permission check. CWE-269 (Improper Privilege Management) is the root cause classification: the min_role parameter on require_workspace_member is implemented and working but simply not set to 'owner' at this endpoint. The settings column is typed as a free-form JSON blob, meaning any JSON object can be injected regardless of key validity - making this a configuration-injection primitive whose blast radius scales with whatever downstream consumers read from that field.

RemediationAI

Upgrade praisonai-platform to version 0.1.4 or later using pip install --upgrade praisonai-platform; the fix replaces Depends(require_workspace_member) with Depends(_require_workspace_owner) on the PATCH /workspaces/{workspace_id} route, ensuring member-tier tokens are rejected with HTTP 403. See the advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rcmc-q9rj-4wmq for full patch details. As defense-in-depth, the advisory recommends validating keys in the settings body against an allowlist, preventing arbitrary configuration injection even for owner-tier callers - this is worth implementing regardless of upgrade status. If immediate patching is not possible, operators can block PATCH /workspaces/{id} at the API gateway or reverse proxy for all non-owner accounts; note this requires out-of-band role enforcement and may break legitimate future member-tier edit flows, so it is a temporary measure only. The advisory also notes that four companion endpoints (add_member, update_member_role, remove_member, delete_workspace) exhibit the same default-min-role gap and are covered by separate advisories - those should be audited concurrently.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-47411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy