Lucene search
K

17 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-61442

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS0.00256EPSS
Exploits0References3
CVE
CVE
added 3 days ago17 views

CVE-2026-61442

PraisonAI Platform before 0.1.9 has an authorization bypass on PATCH routes for projects, issues, and agents, where workspace-members can modify owner-created records. Specifically, a member can reassign lead_id to their own user id and then delete the owner-created project, bypassing the delete ...

7.1CVSS6.1AI score0.00256EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago11 views

EUVD-2026-43180

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS6.1AI score0.00256EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-480 praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members

Summary Type: Privilege escalation / cross-tenant member injection. The POST /workspaces/workspaceid/members endpoint is gated only by requireworkspacememberworkspaceid default minrole="member" and forwards the request body's userid and role straight into MemberService.addworkspaceid, userid, rol...

9.6CVSS5.8AI score0.00031EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-482 PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation

Summary The Platform server exposes resources under /api/v1/workspaces/workspaceid/... and protects them with a requireworkspacememberworkspaceid FastAPI dependency. The dependency only checks that the caller is a member of the workspaceid in the URL prefix. The route handlers then look up the...

9.4CVSS5.8AI score0.00043EPSS
Exploits0References5
OSV
OSV
added 2026/06/01 2:23 p.m.9 views

GHSA-8G2P-PQM3-FCFH praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members

Summary Type: Privilege escalation / cross-tenant member injection. The POST /workspaces/workspaceid/members endpoint is gated only by requireworkspacememberworkspaceid default minrole="member" and forwards the request body's userid and role straight into MemberService.addworkspaceid, userid, rol...

9.6CVSS5.8AI score0.00031EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/01 2:23 p.m.17 views

praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members

Summary Type: Privilege escalation / cross-tenant member injection. The POST /workspaces/workspaceid/members endpoint is gated only by requireworkspacememberworkspaceid default minrole="member" and forwards the request body's userid and role straight into MemberService.addworkspaceid, userid, rol...

5.8AI score0.00031EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/01 2:23 p.m.4 views

Missing Authorization

Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization through insufficient permission checks in the updateworkspace process. An attacker can modify workspace metadata and inject...

7.1CVSS5.9AI score0.00029EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.21 views

PT-2026-45484

Summary Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/workspace id endpoint is gated only by require workspace memberworkspace id default min role="member". Any member can rewrite the workspace's name, description, and the settings JSON blob. T...

6.5CVSS6AI score0.00029EPSS
Exploits0References3
OSV
OSV
added 2026/05/29 11:1 p.m.9 views

GHSA-C2M8-4GCG-V22G praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}

Summary Type: Vertical privilege escalation. The PATCH /workspaces/workspaceid/members/userid endpoint is gated by requireworkspacememberworkspaceid, which defaults to minrole="member" and is never overridden by the route. The handler then calls MemberService.updateroleworkspaceid, userid,...

9.6CVSS5.8AI score0.00032EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 10:42 p.m.9 views

GHSA-H37G-4H4P-9X97 PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership

Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner. The issue is caused by privileged workspace-management routes using the shared dependency requireworkspacemember... without...

8.8CVSS5.8AI score0.00063EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/29 10:32 p.m.27 views

PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API

Summary The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and delete resources in any...

5.8AI score0.00044EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.17 views

PT-2026-45059

Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner. The issue is caused by privileged workspace-management routes using the shared dependency require workspace member... without...

8.8CVSS5.8AI score0.00063EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.10 views

PT-2026-45066

Name of the Vulnerable Software and Affected Versions praisonai-platform affected versions not specified Description A vertical privilege escalation exists where a user with the lowest privilege level can promote themselves to a workspace owner. The issue occurs because the PATCH...

9.6CVSS5.8AI score0.00032EPSS
Exploits0References7
CVE
CVE
added 2026/03/06 9:19 p.m.18 views

CVE-2026-30244

Plane (open‑source project management tool) has a vulnerability prior to version 1.2.2 where unauthenticated actors can enumerate workspace members and extract emails, user roles, and internal identifiers due to misconfigured Django REST Framework permissions. The issue has been patched in 1.2.2,...

7.5CVSS5.7AI score0.00377EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/05 9:48 p.m.8 views

Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure

Executive Summary A security vulnerability exists in the Plane project management platform that allows unauthenticated attackers to enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django RE...

7.5CVSS5.9AI score0.00377EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/01/02 12:0 a.m.4 views

Plane 访问控制错误漏洞

Plane is an open source, self-hosted project planning tool from Plane Open Source. An access control error vulnerability exists in versions of Plane prior to 1.2.0, which stems from a guest user being able to access a list of members of a specific workspace and recognize an administrator's email...

4.3CVSS6.4AI score0.00162EPSS
Exploits0References2
Rows per page
Query Builder