Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable IDOR requiring authenticated session (PR:L); integrity-only impact limited to cross-tenant statistics pollution; no confidentiality or availability effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.
AnalysisAI
Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated session in at least one PraisonAI workspace (PR:L confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N - score 5.3) accurately reflects moderate risk: network-reachable, low complexity, but requiring authenticated access (PR:L), with only low integrity impact and no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid account in Workspace A enumerates or guesses a project_id belonging to Workspace B, then sends a crafted POST or PATCH request to the Workspace A issue creation endpoint with the foreign project_id embedded in the request body. The server creates the issue linked to Workspace B's project, inflating or corrupting that project's issue counts and statistics without any access control check preventing the cross-tenant write. … |
| Remediation | Upgrade PraisonAI to version 0.1.7 or later, which introduces server-side validation confirming that a supplied project_id belongs to the workspace specified in the URL before processing issue create or update requests. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41367
GHSA-gggm-v68x-qqwv