10 matches found
CVE-2026-61441
PraisonAI Platform praisonai-platform before 0.1.9 improperly authorizes deletion of issue dependencies. The DELETE dependency route accepts either endpoint of a dependency edge and checks delete permission only against the caller-selected URL issue. A workspace member who cannot delete a...
CVE-2026-61441
PraisonAI Platform before version 0.1.9 suffers an authorization bypass in the DELETE dependency endpoint: the route validates permissions against the caller-selected URL issue but allows deletion via a member-owned issue endpoint if the dependency edge is related to a member, bypassing owner/adm...
Authorization Bypass Through User-Controlled Key
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the createissue and update processes. An attacker can manipulate project statistics of another...
Authorization Bypass Through User-Controlled Key
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the AgentService.get process. An attacker can access, modify, or delete resources belongin...
Missing Authorization
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization in the addmember process. An attacker can gain unauthorized owner-level access to any workspace by submitting a crafted POST...
Missing Authorization
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization through insufficient permission checks in the updateworkspace process. An attacker can modify workspace metadata and inject...
Authorization Bypass Through User-Controlled Key
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the LabelService process, which fails to verify that labelid and issueid belong to the...
GHSA-3QG8-5G3R-79V5 praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset
Summary Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORMJWTSECRET is unset. A safety check exists but only fires when PLATFORMENV != "dev"; the default value of PLATFORMENV is "dev", so the check is silently...
GHSA-H37G-4H4P-9X97 PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership
Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner. The issue is caused by privileged workspace-management routes using the shared dependency requireworkspacemember... without...
CVE-2026-34935
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split and forwarded through the call chain to anyio.openprocess with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command...