praisonai-platform CVE-2026-47414
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Type: Insecure Direct Object Reference. Five label endpoints - PATCH /workspaces/{workspace_id}/labels/{label_id}, DELETE .../labels/{label_id}, POST .../issues/{issue_id}/labels/{label_id}, DELETE .../issues/{issue_id}/labels/{label_id}, GET .../issues/{issue_id}/labels - gate access on require_workspace_member(workspace_id) only and pass URL-supplied label_id and issue_id straight through to LabelService without verifying either belongs to the workspace. File: src/praisonai-platform/praisonai_platform/services/label_service.py, lines 35-100; route handlers at src/praisonai-platform/praisonai_platform/api/routes/labels.py, lines 42-106. Root cause: identical pattern to the agent / issue / project / comment IDORs in this codebase: the route's workspace_id is used as a membership predicate but never threaded through to the service layer. LabelService.get(label_id) runs session.get(IssueLabel, label_id) with no workspace filter; update/delete inherit the gap; add_to_issue(issue_id, label_id) and remove_from_issue(issue_id, label_id) write/delete association rows without verifying either ID belongs to the membership-checked workspace; list_for_issue(issue_id) reads them.
Affected Code
File 1: src/praisonai-platform/praisonai_platform/services/label_service.py, lines 35-100.
class LabelService:
...
async def get(self, label_id: str) -> Optional[IssueLabel]:
return await self._session.get(IssueLabel, label_id)
# <-- BUG: no workspace_id predicate
async def update(
self,
label_id: str,
...
) -> Optional[IssueLabel]:
label = await self.get(label_id)
# <-- inherits the gap
...
async def delete(self, label_id: str) -> bool:
label = await self.get(label_id)
# <-- inherits the gap
...
async def add_to_issue(self, issue_id: str, label_id: str) -> None:
# writes a row in issue_label association table; no workspace check on either id
async def remove_from_issue(self, issue_id: str, label_id: str) -> None:
# deletes from association table; no workspace check on either id
async def list_for_issue(self, issue_id: str) -> list[IssueLabel]:
# reads from association table; no workspace check on issue_idFile 2: src/praisonai-platform/praisonai_platform/api/routes/labels.py, lines 42-106.
@router.patch("/labels/{label_id}", response_model=LabelResponse)
async def update_label(workspace_id: str, label_id: str, body: LabelUpdate, ...):
svc = LabelService(session)
label = await svc.update(label_id, body.name, body.color)
# <-- writes any label in the DB
...
@router.delete("/labels/{label_id}", ...)
async def delete_label(workspace_id: str, label_id: str, ...):
deleted = await svc.delete(label_id)
# <-- deletes any label in the DB
...
@router.post("/issues/{issue_id}/labels/{label_id}", ...)
async def add_label_to_issue(workspace_id: str, issue_id: str, label_id: str, ...):
await svc.add_to_issue(issue_id, label_id)
# <-- attaches any label to any issue cross-workspace
@router.delete("/issues/{issue_id}/labels/{label_id}", ...)
async def remove_label_from_issue(workspace_id: str, issue_id: str, label_id: str, ...):
await svc.remove_from_issue(issue_id, label_id)
# <-- detaches any label from any issue cross-workspace
@router.get("/issues/{issue_id}/labels", ...)
async def list_issue_labels(workspace_id: str, issue_id: str, ...):
labels = await svc.list_for_issue(issue_id)
# <-- reads label assignments for any issueWhy it's wrong: the workspace_id URL segment is treated as a UI hint; the actual label_id and issue_id lookups query the database without a workspace constraint. The MemberService in this same codebase uses a composite key correctly; the label service does not. The add_to_issue and remove_from_issue paths are particularly nasty because they touch *two* unverified IDs at once: an attacker can attach a foreign workspace's label to a foreign workspace's issue (or detach the legitimate labels), corrupting both sides of an association the attacker has no business touching.
Exploit Chain
- Attacker registers a workspace
W_attacker(member) and harvests a foreign-workspacelabel_idL_Tand a foreign-workspaceissue_idI_T. Both leak vialist_labelsresponses (which include label IDs - but only forW_attacker; for the target the IDs come from issue records that include label associations, activity feeds, exported dumps, error messages). State: attacker holdsL_TandI_T. - Attacker authenticates and sends
PATCH /workspaces/W_attacker/labels/L_Twith{"name": "<deleted>", "color": "#000000"}.require_workspace_member(W_attacker, attacker)passes.LabelService.update(L_T, ...)loads the foreign label and renames it. State: every issue across the foreign workspace that bears this label now displays the attacker-chosen name and colour. - Attacker sends
DELETE /workspaces/W_attacker/labels/L_T.LabelService.delete(L_T)deletes the foreign label, dropping every issue-label association row that referenced it (cascade or orphan, depending on schema). State: foreign workspace's labels are gone or corrupted. - Attacker sends
POST /workspaces/W_attacker/issues/I_T/labels/L_T2to attach foreign labelL_T2to foreign issueI_T.LabelService.add_to_issue(I_T, L_T2)writes the association row regardless of either ID's workspace. State: the foreign issue now carries an arbitrary attacker-chosen label, which surfaces in every filter/search/board view in the foreign workspace's UI. - Attacker sends
DELETE /workspaces/W_attacker/issues/I_T/labels/L_legitto strip the legitimate label off the foreign issue. State: triagers can no longer find the issue via label filters. - Attacker sends
GET /workspaces/W_attacker/issues/I_T/labelsto read the current label set on any foreign issue. State: the attacker fingerprints the foreign workspace's triage taxonomy. - Final state: with one workspace-member token plus harvested foreign IDs, the attacker rewrites and deletes other workspaces' labels, attaches/detaches arbitrary labels on other workspaces' issues, and reads triage state across the deployment.
Security Impact
Severity: sec-moderate. CVSS 6.3: network attack, low complexity, low privileges, no user interaction, scope unchanged. The integrity damage is high (rename/delete of foreign labels is permanent and silent; cross-workspace label-attachment corrupts UI filters), confidentiality is low (label names are not the most sensitive field but do leak triage taxonomy), availability low (foreign workspaces may lose triage visibility into their own issues until the labels are restored). Attacker capability: rename and delete any label in the multi-tenant deployment; attach any label to any issue; detach any label from any issue; list label assignments for any issue. Combined with the companion IssueService IDOR (separate advisory), the attacker can also modify the underlying issue, making the cross-workspace tampering very difficult to detect. Preconditions: praisonai-platform is deployed multi-tenant; the attacker has any membership token; target IDs are known or guessable. Differential: source-inspection-verified end-to-end. The asymmetry between LabelService.list_for_workspace(workspace_id) (correctly workspace-scoped) and LabelService.get(label_id) / add_to_issue(issue_id, label_id) (no workspace check) confirms the gap. With the suggested fix below, label and issue IDs that do not belong to the membership-checked workspace return 404, and the attacker cannot touch them.
Suggested Fix
Make every single-row label lookup take the workspace predicate; verify both issue_id and label_id belong to workspace_id for the association routes.
--- a/src/praisonai-platform/praisonai_platform/services/label_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/label_service.py
@@ -33,7 +33,12 @@ class LabelService:
return label
- async def get(self, label_id: str) -> Optional[IssueLabel]:
- return await self._session.get(IssueLabel, label_id)
+ async def get(self, workspace_id: str, label_id: str) -> Optional[IssueLabel]:
+ stmt = select(IssueLabel).where(
+ IssueLabel.id == label_id,
+ IssueLabel.workspace_id == workspace_id,
+ )
+ return (await self._session.execute(stmt)).scalar_one_or_none()
- async def add_to_issue(self, issue_id: str, label_id: str) -> None:
+ async def add_to_issue(self, workspace_id: str, issue_id: str, label_id: str) -> None:
+
# Verify both ids belong to workspace_id before writing the association row.Then update the route handlers in routes/labels.py to thread workspace_id through every call. The same single-key-lookup pattern is filed separately for AgentService, IssueService, ProjectService, and CommentService - each is its own exploitable IDOR.
AnalysisAI
Cross-workspace label tampering in praisonai-platform <=0.1.2 lets any authenticated workspace member rewrite, delete, attach, detach, and enumerate labels belonging to other tenants because five label endpoints only check workspace membership and never verify that the URL-supplied label_id or issue_id actually belongs to that workspace. Reported by the upstream MervinPraison/PraisonAI project with a fix in 0.1.4; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
praisonai-platform is a Python (FastAPI-style) multi-tenant backend for the PraisonAI agent platform, distributed via PyPI as pkg:pip/praisonai-platform. The defect is a classic CWE-639 Authorization Bypass Through User-Controlled Key: route handlers in praisonai_platform/api/routes/labels.py (lines 42-106) enforce require_workspace_member(workspace_id) but then forward the path-bound label_id and issue_id directly to LabelService (services/label_service.py lines 35-100), whose get/update/delete/add_to_issue/remove_from_issue/list_for_issue methods perform raw primary-key lookups (session.get(IssueLabel, label_id)) and association-table writes without any workspace_id predicate. The same single-key-lookup anti-pattern recurs in AgentService, IssueService, ProjectService and CommentService, while MemberService and LabelService.list_for_workspace correctly use composite scoping, confirming the gap is local to these handlers.
RemediationAI
Upgrade praisonai-platform to the vendor-released patched version 0.1.4 (pip install --upgrade praisonai-platform>=0.1.4) per GHSA-5jx9-w35f-vp65 (https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-5jx9-w35f-vp65); the advisory's suggested patch threads workspace_id through LabelService.get/update/delete/add_to_issue/remove_from_issue/list_for_issue and the labels.py route handlers so cross-workspace IDs return 404. If upgrade must be delayed, deploy a reverse-proxy or middleware rule that blocks or 403s the five vulnerable routes (PATCH and DELETE /workspaces/{wid}/labels/{lid}, POST and DELETE /workspaces/{wid}/issues/{iid}/labels/{lid}, GET /workspaces/{wid}/issues/{iid}/labels), accepting that label management will be unusable for legitimate users; alternatively run praisonai-platform in single-tenant mode (one workspace per deployment) to neutralise cross-tenant impact at the cost of losing the multi-tenant feature. Also plan to apply the sibling fixes for AgentService, IssueService, ProjectService and CommentService IDORs noted in the advisory, since label-only mitigation leaves the broader tampering chain open.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5jx9-w35f-vp65