Skip to main content

PraisonAI Platform CVE-2026-47417

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 https://github.com/MervinPraison/PraisonAI GHSA-cp4f-5m9r-5jc2
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 01, 2026 - 14:52 vuln.today
Analysis Generated
Jun 01, 2026 - 14:52 vuln.today

DescriptionGitHub Advisory

Summary

Type: Insecure Direct Object Reference. The comment endpoints (POST /workspaces/{workspace_id}/issues/{issue_id}/comments and GET .../comments) gate access on require_workspace_member(workspace_id) only, then call CommentService.create(issue_id=issue_id, ...) and CommentService.list_for_issue(issue_id) without verifying that issue_id belongs to workspace_id. A user who is a member of any workspace W1 can read every comment on, and post new comments to, any issue in any other workspace W2. File: src/praisonai-platform/praisonai_platform/api/routes/issues.py, lines 143-171; src/praisonai-platform/praisonai_platform/services/comment_service.py, lines 19-53. Root cause: the route extracts workspace_id from the URL path and uses it solely for the membership gate, then passes the URL-supplied issue_id straight into CommentService without confirming that this issue exists in workspace_id. CommentService.list_for_issue(issue_id) runs SELECT * FROM comments WHERE issue_id = :issue_id with no workspace join. CommentService.create(issue_id=issue_id, ...) blindly writes a row with that issue_id. Both flows trust the URL-supplied issue ID as authoritative even though the membership check guarantees nothing about it.

Affected Code

File 1: src/praisonai-platform/praisonai_platform/api/routes/issues.py, lines 143-171.

python
@router.post("/{issue_id}/comments", response_model=CommentResponse, status_code=status.HTTP_201_CREATED)
async def add_comment(
    workspace_id: str,
    issue_id: str,
    body: CommentCreate,
    user: AuthIdentity = Depends(require_workspace_member),
# only checks attacker is in workspace_id
    session: AsyncSession = Depends(get_db),
):
    svc = CommentService(session)
    comment = await svc.create(
        issue_id=issue_id,
# <-- BUG: no validation that issue_id is in workspace_id
        author_id=user.id,
        content=body.content,
        author_type="member" if user.is_user else "agent",
        parent_id=body.parent_id,
    )
    return CommentResponse.model_validate(comment)


@router.get("/{issue_id}/comments", response_model=List[CommentResponse])
async def list_comments(
    workspace_id: str,
    issue_id: str,
    user: AuthIdentity = Depends(require_workspace_member),
    session: AsyncSession = Depends(get_db),
):
    svc = CommentService(session)
    comments = await svc.list_for_issue(issue_id)
# <-- BUG: returns comments on any issue
    return [CommentResponse.model_validate(c) for c in comments]

File 2: src/praisonai-platform/praisonai_platform/services/comment_service.py, lines 19-53.

python
class CommentService:
    ...

    async def create(
        self,
        issue_id: str,
        author_id: str,
        content: str,
        author_type: str = "member",
        comment_type: str = "comment",
        parent_id: Optional[str] = None,
    ) -> Comment:
        comment = Comment(
            issue_id=issue_id,
# <-- accepts any issue_id; no workspace verify
            author_type=author_type,
            author_id=author_id,
            ...
        )
        self._session.add(comment)
        await self._session.flush()
        return comment

    async def list_for_issue(self, issue_id: str) -> list[Comment]:
        stmt = (
            select(Comment)
            .where(Comment.issue_id == issue_id)
# <-- no JOIN against issues for workspace constraint
            .order_by(Comment.created_at)
        )
        result = await self._session.execute(stmt)
        return list(result.scalars().all())

Why it's wrong: the service trusts the caller-supplied issue_id as authoritative, but the route layer never verified that this issue belongs to the workspace the membership check covers. The standard FastAPI/SQLAlchemy fix is to first resolve the issue scoped to workspace_id (Issue.id = :issue_id AND Issue.workspace_id = :workspace_id) and only then proceed to comment operations. The MemberService.get(workspace_id, user_id) and LabelService.list_for_workspace(workspace_id) calls in the same codebase show the safe predicate; the comment service forgot to apply it.

Exploit Chain

  1. Attacker registers a workspace W_attacker (member) and harvests a target issue UUID I_T from any side channel: agent prompts that mention issues, the activity feed (act_svc.log records issue_id), webhook payloads, exported issue dumps, or simply by being a low-privilege observer of the attacker's own workspace whose internals reference foreign issue IDs (cross-workspace links, search across activity events). State: attacker holds I_T.
  2. Attacker authenticates and sends GET /workspaces/W_attacker/issues/I_T/comments. require_workspace_member(W_attacker, attacker) passes (attacker is a member of W_attacker). State: control flow enters list_comments with workspace_id=W_attacker, issue_id=I_T.
  3. CommentService.list_for_issue(I_T) runs SELECT * FROM comments WHERE issue_id = 'I_T' with no workspace constraint. Every comment on the foreign issue is returned: content (often the most sensitive part of an issue tracker - bug-report repro steps with secrets, customer PII, internal triage notes), author_id, author_type, parent_id, created_at. State: response body is the full comment thread of the foreign issue.
  4. Attacker repeats with POST /workspaces/W_attacker/issues/I_T/comments and a body of {"content": "<malicious>"}. CommentService.create(issue_id=I_T, author_id=attacker, ...) writes a row with the foreign issue's id and the attacker's author_id. State: a new comment authored by the attacker appears in the foreign workspace's issue thread, indistinguishable to the foreign workspace's UI from a legitimate cross-workspace mention. Used at scale this becomes a comment-spam / phishing primitive (links in the comment body) targeting another tenant's users.
  5. Final state: any attacker with one workspace-member token can exfiltrate every comment in the multi-tenant deployment given the issue UUIDs, and inject arbitrary comments under their own author identity into any foreign issue. The cross-workspace attribution gap is the worst part: the comment is recorded with the attacker's author_id, but the foreign workspace has no member with that id and the foreign workspace's audit logs show no event (the act_svc.log call in add_comment is omitted).

Security Impact

Severity: sec-high. CVSS 7.6: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (full comment threads), high integrity (cross-workspace comment injection under attacker's own id), no availability claim. Attacker capability: read every comment on every issue in the multi-tenant deployment given the issue UUIDs; post arbitrary comments under the attacker's identity into any foreign issue, allowing comment-spam, phishing-link injection into another tenant's UI, or social-engineering attribution attacks (the foreign workspace's UI renders a comment whose author belongs to no member of that workspace). Preconditions: praisonai-platform is deployed multi-tenant; the attacker has any membership token; the target issue's UUID is known or guessable. Differential: source-inspection-verified end-to-end. The asymmetry between CommentService.list_for_issue(issue_id) (no workspace predicate) and LabelService.list_for_workspace(workspace_id) (correctly workspace-scoped) confirms the gap. With the suggested fix below, every comment route first resolves the issue scoped to workspace_id, returns 404 if the issue is foreign, and only then proceeds.

Suggested Fix

Resolve the issue scoped to workspace_id at the route layer before dispatching to CommentService. This both fixes the read and the write paths and avoids changing the CommentService signature.

diff
--- a/src/praisonai-platform/praisonai_platform/api/routes/issues.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/issues.py
@@ -141,6 +141,11 @@ async def delete_issue(...):
# ── Comments ─────────────────────────────────────────────────────────────────


+async def _require_issue_in_workspace(session, workspace_id: str, issue_id: str):
+    issue = await IssueService(session).get(workspace_id, issue_id)
# workspace-scoped get (see companion advisory)
+    if issue is None:
+        raise HTTPException(status_code=404, detail="Issue not found")
+
 @router.post("/{issue_id}/comments", response_model=CommentResponse, status_code=status.HTTP_201_CREATED)
 async def add_comment(
     workspace_id: str,
@@ -149,6 +154,7 @@ async def add_comment(
     user: AuthIdentity = Depends(require_workspace_member),
     session: AsyncSession = Depends(get_db),
 ):
+    await _require_issue_in_workspace(session, workspace_id, issue_id)
     svc = CommentService(session)
     comment = await svc.create(
         issue_id=issue_id,
@@ -167,5 +173,6 @@ async def list_comments(
     user: AuthIdentity = Depends(require_workspace_member),
     session: AsyncSession = Depends(get_db),
 ):
+    await _require_issue_in_workspace(session, workspace_id, issue_id)
     svc = CommentService(session)
     comments = await svc.list_for_issue(issue_id)

Companion advisories file the same workspace-scoping gap for AgentService, IssueService, ProjectService, and LabelService. Each is a separate exploitable IDOR.

AnalysisAI

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read and inject comments on issues belonging to any other tenant in a multi-tenant deployment. The comment endpoints validate workspace membership but never verify that the URL-supplied issue_id actually belongs to that workspace, breaking tenant isolation. No public exploit identified at time of analysis, but source-code-level analysis confirms the gap end-to-end.

Technical ContextAI

The vulnerability sits in the FastAPI/SQLAlchemy comment routes of praisonai-platform (pkg:pip/praisonai-platform), specifically src/praisonai-platform/praisonai_platform/api/routes/issues.py lines 143-171 and the backing CommentService at services/comment_service.py lines 19-53. CWE-639 (Authorization Bypass Through User-Controlled Key) applies: the route relies on require_workspace_member(workspace_id) for authorization but then forwards the untrusted issue_id directly into CommentService.list_for_issue() (which executes SELECT * FROM comments WHERE issue_id = :issue_id with no workspace JOIN) and CommentService.create() (which blindly inserts a row with the caller-supplied issue_id). The correct pattern, already used elsewhere in the same codebase by LabelService.list_for_workspace(workspace_id) and MemberService.get(workspace_id, user_id), is to resolve the child object scoped to its parent workspace before any read or write - this scoping predicate was simply omitted for comments.

RemediationAI

Vendor-released patch: upgrade praisonai-platform to 0.1.4 or later, which is the fixed version per the GHSA-cp4f-5m9r-5jc2 advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cp4f-5m9r-5jc2. The upstream fix adds a _require_issue_in_workspace() helper that calls IssueService.get(workspace_id, issue_id) and raises 404 before either add_comment or list_comments dispatches to CommentService. If immediate upgrade is not possible, operators running multi-tenant deployments can restrict the /workspaces/{workspace_id}/issues/{issue_id}/comments routes at a reverse proxy or API gateway to a single trusted workspace ID (eliminating cross-tenant requests but breaking legitimate multi-tenant comment use), or temporarily disable POST and GET to the comments endpoints entirely until the patch is applied (which removes the comment feature but preserves the rest of the issue tracker). Tightening issue UUID exposure in activity feeds, webhook payloads, and agent prompts also reduces the attack surface but does not close the underlying authorization gap and should not be treated as a fix.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-47417 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy