Lucene search
K

10 matches found

NVD
NVD
added yesterday5 views

CVE-2026-61441

PraisonAI Platform praisonai-platform before 0.1.9 improperly authorizes deletion of issue dependencies. The DELETE dependency route accepts either endpoint of a dependency edge and checks delete permission only against the caller-selected URL issue. A workspace member who cannot delete a...

7.1CVSS
Exploits0References3
CVE
CVE
added yesterday5 views

CVE-2026-61441

PraisonAI Platform before version 0.1.9 suffers an authorization bypass in the DELETE dependency endpoint: the route validates permissions against the caller-selected URL issue but allows deletion via a member-owned issue endpoint if the dependency edge is related to a member, bypassing owner/adm...

7.1CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 2026/06/18 2:48 p.m.10 views

Authorization Bypass Through User-Controlled Key

Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the createissue and update processes. An attacker can manipulate project statistics of another...

5.3CVSS5.8AI score0.00158EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/05 4:28 p.m.3 views

Authorization Bypass Through User-Controlled Key

Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the AgentService.get process. An attacker can access, modify, or delete resources belongin...

8.7CVSS5.8AI score0.00043EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/01 2:23 p.m.2 views

Missing Authorization

Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization in the addmember process. An attacker can gain unauthorized owner-level access to any workspace by submitting a crafted POST...

9.6CVSS5.8AI score0.00031EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/01 2:23 p.m.4 views

Missing Authorization

Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization through insufficient permission checks in the updateworkspace process. An attacker can modify workspace metadata and inject...

7.1CVSS5.9AI score0.00029EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/29 10:51 p.m.2 views

Authorization Bypass Through User-Controlled Key

Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the LabelService process, which fails to verify that labelid and issueid belong to the...

7.6CVSS5.9AI score0.00038EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 10:42 p.m.8 views

GHSA-3QG8-5G3R-79V5 praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset

Summary Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORMJWTSECRET is unset. A safety check exists but only fires when PLATFORMENV != "dev"; the default value of PLATFORMENV is "dev", so the check is silently...

9.8CVSS6AI score0.00054EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 10:42 p.m.9 views

GHSA-H37G-4H4P-9X97 PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership

Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner. The issue is caused by privileged workspace-management routes using the shared dependency requireworkspacemember... without...

8.8CVSS5.8AI score0.00063EPSS
Exploits0References2
NVD
NVD
added 2026/04/03 11:17 p.m.10 views

CVE-2026-34935

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split and forwarded through the call chain to anyio.openprocess with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command...

9.8CVSS0.00824EPSS
Exploits1References2
Rows per page
Query Builder