CVE-2026-47406

HIGHPre-NVD 8.18.1
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 90% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
8.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks

Summary

Type: Insecure Direct Object Reference. The dependency endpoints (POST/GET /workspaces/{workspace_id}/issues/{issue_id}/dependencies and DELETE .../dependencies/{dep_id}) gate access on require_workspace_member(workspace_id) only, then dispatch to DependencyService calls that take URL/body-supplied issue and dependency IDs without verifying any of them belong to the membership-checked workspace. Most damaging: create_dependency accepts body.depends_on_issue_id from the request body — that ID is checked against nothing — letting an attacker create a "blocks" or "related" link between any two issues anywhere in the database. File: src/praisonai-platform/praisonai_platform/api/routes/dependencies.py, lines 22-58; services/dependency_service.py, lines 26-65. Root cause: the same Depends(require_workspace_member) default-min-role pattern as the companion IDORs, plus a service layer (DependencyService) where every method takes raw IDs and queries them directly. create(issue_id, depends_on_issue_id, ...) writes a row with no workspace verification on either ID. list_for_issue(issue_id) returns dependencies in either direction. delete(dep_id) is a primary-key delete with no workspace predicate.

Affected Code

File 1: src/praisonai-platform/praisonai_platform/api/routes/dependencies.py, lines 22-58.

@router.post("/", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)
async def create_dependency(
    workspace_id: str,
    issue_id: str,
    body: DependencyCreate,
    user: AuthIdentity = Depends(require_workspace_member),
    session: AsyncSession = Depends(get_db),
):
    svc = DependencyService(session)
    dep = await svc.create(issue_id, body.depends_on_issue_id, body.type)  # <-- BUG: neither id is workspace-checked
    return DependencyResponse.model_validate(dep)

@router.get("/", response_model=List[DependencyResponse]) async def list_dependencies( workspace_id: str, issue_id: str, user: AuthIdentity = Depends(require_workspace_member), session: AsyncSession = Depends(get_db), ): svc = DependencyService(session) deps = await svc.list_for_issue(issue_id) # <-- BUG: returns dependencies for any issue return [DependencyResponse.model_validate(d) for d in deps]

@router.delete("/{dep_id}", status_code=status.HTTP_204_NO_CONTENT) async def delete_dependency( workspace_id: str, issue_id: str, dep_id: str, user: AuthIdentity = Depends(require_workspace_member), session: AsyncSession = Depends(get_db), ): svc = DependencyService(session) deleted = await svc.delete(dep_id) # <-- BUG: deletes any dependency by id if not deleted: raise HTTPException(status_code=404, detail="Dependency not found")

File 2: src/praisonai-platform/praisonai_platform/services/dependency_service.py, lines 26-65.

async def create(self, issue_id: str, depends_on_issue_id: str, dep_type: str = "blocks") -> IssueDependency:
    if dep_type not in VALID_TYPES:
        raise ValueError(...)
    dep = IssueDependency(
        issue_id=issue_id,                                              # <-- accepts any
        depends_on_issue_id=depends_on_issue_id,                        # <-- accepts any (from request body)
        type=dep_type,
    )
    self._session.add(dep); await self._session.flush(); return dep

async def list_for_issue(self, issue_id: str) -> list[IssueDependency]: stmt = select(IssueDependency).where( (IssueDependency.issue_id == issue_id) | (IssueDependency.depends_on_issue_id == issue_id) ) return list((await self._session.execute(stmt)).scalars().all())

async def delete(self, dep_id: str) -> bool: dep = await self.get(dep_id) # session.get(IssueDependency, dep_id) — no workspace check ...

Why it's wrong: the request-body depends_on_issue_id is the worst part: an attacker can link any two issues across any two workspaces, polluting both workspaces' dependency graphs with attacker-chosen relationships ("blocks", "blocked_by", "related"). The triagers in the foreign workspace see their issue suddenly blocked by an unrelated foreign issue, breaking sprint planning and creating false correlation. The delete(dep_id) path lets an attacker remove legitimate cross-issue links between any two foreign workspaces, also disrupting their planning. The list_for_issue path leaks the dependency graph for any issue in the deployment.

Exploit Chain

  • Attacker is a member of workspace W_attacker and harvests two foreign-workspace issue UUIDs I1 (in W_target1) and I2 (in W_target2). They leak via the activity feed, comment threads, error messages, exported dumps, the agent prompt history, or any other channel that ever serialises an issue ID. State: attacker holds two foreign issue UUIDs.
  • Attacker sends POST /workspaces/W_attacker/issues/I1/dependencies with Authorization: Bearer and body {"depends_on_issue_id": "I2", "type": "blocks"}. State: control flow enters create_dependency with issue_id=I1 (foreign), depends_on_issue_id=I2 (foreign).
  • require_workspace_member(W_attacker, attacker) passes (attacker is a member of W_attacker). DependencyService.create(I1, I2, "blocks") writes a new row IssueDependency(issue_id=I1, depends_on_issue_id=I2, type="blocks"). State: there is now a cross-workspace dependency between two foreign issues, written by the attacker.
  • The triage UIs of W_target1 and W_target2 now show that the foreign issue is blocked by an unrelated issue in another workspace. Workflow rules that key off "cannot close while blocked" will refuse to let the legitimate triagers close I1. State: foreign workflow disrupted.
  • Attacker repeats with GET /workspaces/W_attacker/issues/I1/dependencies to read the dependency graph for any foreign issue (information disclosure, project relationship mapping), or with DELETE .../{dep_id} (after enumerating dep_ids via the list call) to strip legitimate dependencies between foreign issues, breaking blocked-by chains.
  • Final state: with one workspace-member token, the attacker reads, writes, and deletes dependencies on every issue in the multi-tenant deployment, polluting the dependency graphs of foreign workspaces.

Security Impact

Severity: sec-high. CVSS 7.6: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (cross-workspace dependency graph disclosure), high integrity (cross-workspace dependency injection and deletion), no availability claim (workflow disruption is integrity, not availability). Attacker capability: read any issue's dependency graph; create arbitrary "blocks" / "blocked_by" / "related" links between any two issues across any two workspaces; delete any dependency by id. The most surprising primitive is the cross-workspace LINKING — the only one of the IDORs in this codebase where a single attacker request can affect TWO foreign workspaces at once. Preconditions: praisonai-platform is deployed multi-tenant; attacker has any membership token; foreign issue UUIDs are reachable. Differential: source-inspection-verified end-to-end. The asymmetry between this service (no workspace predicate anywhere) and MemberService.get(workspace_id, user_id) (correctly composite-keyed) confirms the gap. With the suggested fix below, the route would resolve both the URL issue_id and the body depends_on_issue_id against IssueService.get(workspace_id, ...) before allowing the dependency to be written.

Suggested Fix

Resolve every issue id (URL and body) against workspace_id at the route layer before dispatching. The route helper from the issue-IDOR companion advisory can be reused.

--- a/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py
@@ -22,11 +22,16 @@
 @router.post("/", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)
 async def create_dependency(
     workspace_id: str,
     issue_id: str,
     body: DependencyCreate,
     user: AuthIdentity = Depends(require_workspace_member),
     session: AsyncSession = Depends(get_db),
 ):
+    issue_svc = IssueService(session)
+    if await issue_svc.get(workspace_id, issue_id) is None:
+        raise HTTPException(status_code=404, detail="Issue not found")
+    if await issue_svc.get(workspace_id, body.depends_on_issue_id) is None:
+        raise HTTPException(status_code=404, detail="depends_on_issue_id not found in this workspace")
     svc = DependencyService(session)
     dep = await svc.create(issue_id, body.depends_on_issue_id, body.type)
     return DependencyResponse.model_validate(dep)

Apply the same issue_svc.get(workspace_id, issue_id) precondition to list_dependencies and delete_dependency (verifying both the issue and the dependency belong to workspace_id).

CVSS v3
8.1
EG Score
8.1(low)
EPSS
9.7%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47406(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
praisonai-platform0.1.0, 0.1.1, 0.1.2, 0.1.30.1.4

Data Freshness Timeline

(refreshed 3× in last 7d / 26× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:45 UTCEG score recompute
  2. 2026-07-14 13:43 UTCEG score recompute
  3. 2026-07-11 16:52 UTCEG score recompute
  4. 2026-07-08 17:14 UTCEG score recompute
  5. 2026-07-02 15:58 UTCEG score recompute
  6. 2026-07-02 03:41 UTCEG score recompute
  7. 2026-07-01 12:54 UTCEG score recompute
  8. 2026-07-01 01:17 UTCEG score recompute
  9. 2026-06-30 02:36 UTCEG score recompute
  10. 2026-06-29 15:02 UTCEG score recompute
  11. 2026-06-29 03:29 UTCEG score recompute
  12. 2026-06-28 15:52 UTCEG score recompute
  13. 2026-06-28 03:20 UTCEG score recompute
  14. 2026-06-27 15:46 UTCEG score recompute
  15. 2026-06-27 04:10 UTCEG score recompute
  16. 2026-06-26 16:10 UTCEG score recompute
  17. 2026-06-26 01:53 UTCEG score recompute
  18. 2026-06-25 14:18 UTCEG score recompute
  19. 2026-06-25 02:45 UTCEG score recompute
  20. 2026-06-24 15:08 UTCEG score recompute
  21. 2026-06-24 02:40 UTCEG score recompute
  22. 2026-06-18 22:19 UTCEG score recompute
  23. 2026-06-18 10:15 UTCEG score recompute
  24. 2026-06-17 22:20 UTCEG score recompute
  25. 2026-06-17 10:46 UTCEG score recompute
Show 37 more
  1. 2026-06-16 23:06 UTCEG score recompute
  2. 2026-06-16 11:31 UTCEG score recompute
  3. 2026-06-15 23:58 UTCEG score recompute
  4. 2026-06-15 12:25 UTCEG score recompute
  5. 2026-06-15 00:52 UTCEG score recompute
  6. 2026-06-14 23:18 UTCEPSS rescore
  7. 2026-06-14 13:16 UTCEG score recompute
  8. 2026-06-14 01:43 UTCEG score recompute
  9. 2026-06-13 14:06 UTCEG score recompute
  10. 2026-06-13 02:32 UTCEG score recompute
  11. 2026-06-12 23:12 UTCEPSS rescore
  12. 2026-06-12 14:58 UTCEG score recompute
  13. 2026-06-12 03:24 UTCEG score recompute
  14. 2026-06-11 15:51 UTCEG score recompute
  15. 2026-06-11 04:09 UTCEG score recompute
  16. 2026-06-10 16:36 UTCEG score recompute
  17. 2026-06-10 05:02 UTCEG score recompute
  18. 2026-06-09 17:29 UTCEG score recompute
  19. 2026-06-09 05:56 UTCEG score recompute
  20. 2026-06-08 18:22 UTCEG score recompute
  21. 2026-06-08 05:58 UTCEG score recompute
  22. 2026-06-07 18:25 UTCEG score recompute
  23. 2026-06-07 06:52 UTCEG score recompute
  24. 2026-06-06 19:18 UTCEG score recompute
  25. 2026-06-06 07:45 UTCEG score recompute
  26. 2026-06-05 20:12 UTCEG score recompute
  27. 2026-06-05 08:39 UTCEG score recompute
  28. 2026-06-04 21:05 UTCEG score recompute
  29. 2026-06-04 09:32 UTCEG score recompute
  30. 2026-06-03 21:59 UTCEG score recompute
  31. 2026-06-03 10:25 UTCEG score recompute
  32. 2026-06-02 22:52 UTCEG score recompute
  33. 2026-06-02 11:19 UTCEG score recompute
  34. 2026-06-01 23:46 UTCEG score recompute
  35. 2026-06-01 12:13 UTCEG score recompute
  36. 2026-06-01 00:40 UTCEG score recompute
  37. 2026-05-29 23:13 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47406?
CVE-2026-47406 is a high vulnerability published on May 29, 2026. praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks Summary Type: Insecure Direct Object Reference. The dependency endpoints (POST/GET /workspaces/{workspaceid}/issues/{issueid}/dependencies and DELETE…
When was CVE-2026-47406 disclosed?
CVE-2026-47406 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47406 actively exploited?
CVE-2026-47406 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 9.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47406?
CVE-2026-47406 has a CVSS v4.0 base score of 8.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47406?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47406, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47406

Explore →

Is Your Infrastructure Affected by CVE-2026-47406?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.