Threat Advisory

praisonai-platform Vulnerabilities Expose Member Privilege Bypass

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the praisonai‑platform Python package (pip/praisonai-platform) versions prior to 0.1.4. The flaws span privilege‑escalation, unauthorized destructive actions, and insecure direct object references (IDOR) affecting workspace member management, workspace deletion, and issue/project APIs. An attacker with merely a standard member token can promote arbitrary accounts to owners, erase entire workspaces, or cross‑tenant read, modify, and delete resources. These weaknesses expose organizations to data loss, unauthorized control of collaborative environments, and potential compliance violations, representing a severe business risk for any multi‑tenant deployment.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the praisonai‑platform Python package (pip/praisonai-platform) versions prior to 0.1.4. The flaws span privilege‑escalation, unauthorized destructive actions, and insecure direct object references (IDOR) affecting workspace member management, workspace deletion, and issue/project APIs. An attacker with merely a standard member token can promote arbitrary accounts to owners, erase entire workspaces, or cross‑tenant read, modify, and delete resources. These weaknesses expose organizations to data loss, unauthorized control of collaborative environments, and potential compliance violations, representing a severe business risk for any multi‑tenant deployment.[emaillocker id="1283"]

  • CVE-2026-47413 with a CVSS score of 9.6 – A privilege‑escalation flaw in POST /workspaces/{id}/members lets any workspace member assign the “owner” role to any user, requiring only a valid member JWT; the attacker can create a second account and gain full ownership of the workspace.
  • CVE-2026-47412 with a CVSS score of 8.1 – The DELETE /workspaces/{id} endpoint checks only for membership, allowing a low‑privilege member to issue a single DELETE request that permanently removes the workspace and all cascaded data.
  • CVE-2026-47415 with a CVSS score of 8.3 – Issue CRUD endpoints suffer an IDOR; they verify membership on the workspace but do not confirm that the supplied issue_id belongs to that workspace, enabling a member of any workspace to read, update, or delete issues in other tenants.
  • CVE-2026-47418 with a CVSS score of 8.1 – Project CRUD and stats endpoints similarly lack workspace ownership checks, permitting cross‑workspace access, modification, deletion, and statistic retrieval for any project regardless of the caller’s tenancy.

If exploited, these vulnerabilities allow attackers to commandeer workspace ownership, irreversibly delete critical data, and breach isolation between tenant resources, leading to operational disruption, loss of intellectual property, and potential regulatory fallout. Immediate attention is required to protect multi‑tenant environments from severe data‑integrity and confidentiality impacts.

RECOMMENDATION:

  • We recommend you to update praisonai-platform to version 0.1.4.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-8g2p-pqm3-fcfh
https://github.com/advisories/GHSA-g8rr-7rj2-f627
https://github.com/advisories/GHSA-xwq8-frcg-77q8
https://github.com/advisories/GHSA-cp4f-5m9r-5jc2
https://github.com/advisories/GHSA-943m-6wx2-rc2j

[/emaillocker]
crossmenu