EXECUTIVE SUMMARY:
CVE-2026-47419 with a CVSS score of 8.3 is a insecure direct object reference flaw in the PraisonAI Platform Python package affecting all releases prior to version. The vulnerability stems from the agent CRUD endpoints which only verify that the caller is a member of the workspace identified in the URL, but then retrieve the agent record solely by its UUID without confirming that the agent belongs to that workspace. An attacker who is authenticated as a legitimate user in any workspace can craft a request to a different workspace’s endpoint and supply a guessed or harvested agent UUID, causing the server to return, modify, or delete the targeted agent regardless of ownership. Exploitation requires only network access to the API and a valid user session; no special privileges or additional credentials are needed beyond membership in any workspace. Successful exploitation grants the adversary the ability to read sensitive configuration, alter agent behavior, or permanently remove agents, potentially disrupting AI‑driven workflows, compromising data integrity, and causing service downtime. The attack is viable whenever the application exposes the affected endpoints to authenticated users and does not enforce workspace‑scoped checks on the backend.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47419 with a CVSS score of 8.3 is a insecure direct object reference flaw in the PraisonAI Platform Python package affecting all releases prior to version. The vulnerability stems from the agent CRUD endpoints which only verify that the caller is a member of the workspace identified in the URL, but then retrieve the agent record solely by its UUID without confirming that the agent belongs to that workspace. An attacker who is authenticated as a legitimate user in any workspace can craft a request to a different workspace’s endpoint and supply a guessed or harvested agent UUID, causing the server to return, modify, or delete the targeted agent regardless of ownership. Exploitation requires only network access to the API and a valid user session; no special privileges or additional credentials are needed beyond membership in any workspace. Successful exploitation grants the adversary the ability to read sensitive configuration, alter agent behavior, or permanently remove agents, potentially disrupting AI‑driven workflows, compromising data integrity, and causing service downtime. The attack is viable whenever the application exposes the affected endpoints to authenticated users and does not enforce workspace‑scoped checks on the backend.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-7p8g-6c6g-h9w7