CVE-2026-47411

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 91% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}

Summary

Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/{workspace_id} endpoint is gated only by require_workspace_member(workspace_id) (default min_role="member"). Any member can rewrite the workspace's name, description, and the settings JSON blob. The settings field is a free-form JSON object — depending on which downstream code reads it, this becomes a configuration-injection primitive for any setting the platform exposes there. File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 63-74; services/workspace_service.py's update() method. Root cause: Depends(require_workspace_member) resolves to default min_role="member". WorkspaceService.update(workspace_id, name, description, settings) writes the new fields to the workspace row without any caller-permission check. The role hierarchy (MemberService.has_role) is never consulted.

Affected Code

File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 63-74.

@router.patch("/{workspace_id}", response_model=WorkspaceResponse)
async def update_workspace(
    workspace_id: str,
    body: WorkspaceUpdate,
    user: AuthIdentity = Depends(require_workspace_member),         # <-- BUG: defaults to min_role="member"
    session: AsyncSession = Depends(get_db),
):
    ws_svc = WorkspaceService(session)
    ws = await ws_svc.update(workspace_id, body.name, body.description, body.settings)  # <-- writes any value
    if ws is None:
        raise HTTPException(status_code=404, detail="Workspace not found")
    return WorkspaceResponse.model_validate(ws)

Why it's wrong: workspace name and settings are owner-tier fields. Renaming the workspace to a profanity is a low-impact griefing vector; rewriting the JSON settings blob is potentially a much higher-impact configuration injection (depending on what fields downstream code reads from settings, the attacker may flip feature flags, redirect webhook URLs, change LLM provider keys for shared configs, disable audit logging, etc.). The require_workspace_member(min_role) parameter is implemented and unused. This endpoint should require owner.

Exploit Chain

  • Attacker is a member of workspace W with role "member". State: attacker holds JWT.
  • Attacker sends PATCH /workspaces/W with Authorization: Bearer and body {"name": "Compromised", "description": "Owned by attacker", "settings": {"allow_public_invite": true, "ai_provider_url": "https://attacker.example/v1"}}. State: control flow enters update_workspace.
  • require_workspace_member(W, attacker) passes. WorkspaceService.update(W, ...) writes the three fields. State: workspace W now has attacker-chosen name, description, and settings.
  • The settings JSON is read by any downstream code that consults workspace settings (LLM proxying, invite flows, webhook routing). If the deployment uses settings-keyed configuration overrides, those overrides now point at attacker-controlled endpoints.
  • Final state: with one member-level token plus one PATCH, the attacker rewrites the workspace's metadata and settings, with effects ranging from cosmetic (rename) to substantive (settings-keyed config injection).

Security Impact

Severity: sec-moderate. CVSS 6.5: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality directly (though settings rewrites may enable indirect data exfiltration via attacker-pointed integration URLs), high integrity, no availability claim. Attacker capability: rewrite any workspace's name, description, and settings JSON. The actual blast radius depends on what fields the deployment reads from settings — but that field is documented as a free-form JSON blob, so any future configuration the platform adds there becomes attacker-tunable. Preconditions: praisonai-platform is deployed multi-tenant; attacker has any membership token in the target workspace. Differential: source-inspection-verified. With the suggested fix below, member-tier tokens fail the gate and the metadata rewrite is rejected with 403.

Suggested Fix

--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
@@ -63,11 +63,11 @@
 @router.patch("/{workspace_id}", response_model=WorkspaceResponse)
 async def update_workspace(
     workspace_id: str,
     body: WorkspaceUpdate,
  • user: AuthIdentity = Depends(require_workspace_member),
+ user: AuthIdentity = Depends(_require_workspace_owner), # see member-update-role advisory for helper session: AsyncSession = Depends(get_db), ): ws_svc = WorkspaceService(session) ws = await ws_svc.update(workspace_id, body.name, body.description, body.settings) if ws is None: raise HTTPException(status_code=404, detail="Workspace not found") return WorkspaceResponse.model_validate(ws)

Defence-in-depth: validate the keys allowed in body.settings against an allowlist so the field cannot become an arbitrary config-injection primitive even for owners. The four companion workspace-mutation endpoints (add_member, update_member_role, remove_member, delete_workspace) exhibit the same default-min-role gap and are filed as their own advisories.

CVSS v3
6.5
EG Score
6.5(low)
EPSS
8.9%
KEV
Not listed

Published

June 1, 2026

Last Modified

June 1, 2026

Vendor Advisories for CVE-2026-47411(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
praisonai-platform0.1.0, 0.1.1, 0.1.2, 0.1.30.1.4

Data Freshness Timeline

(refreshed 2× in last 7d / 24× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-02 02:19 UTCEG score recompute
  2. 2026-07-01 00:39 UTCEG score recompute
  3. 2026-06-29 19:30 UTCEG score recompute
  4. 2026-06-28 19:16 UTCEG score recompute
  5. 2026-06-27 20:40 UTCEG score recompute
  6. 2026-06-26 22:01 UTCEG score recompute
  7. 2026-06-25 23:24 UTCEG score recompute
  8. 2026-06-25 00:48 UTCEG score recompute
  9. 2026-06-24 02:07 UTCEG score recompute
  10. 2026-06-18 22:02 UTCEG score recompute
  11. 2026-06-17 17:34 UTCEG score recompute
  12. 2026-06-16 18:58 UTCEG score recompute
  13. 2026-06-15 20:20 UTCEG score recompute
  14. 2026-06-14 23:18 UTCEPSS rescore
  15. 2026-06-14 19:17 UTCEG score recompute
  16. 2026-06-13 23:00 UTCEPSS rescore
  17. 2026-06-13 20:40 UTCEG score recompute
  18. 2026-06-12 23:12 UTCEPSS rescore
  19. 2026-06-12 22:04 UTCEG score recompute
  20. 2026-06-11 23:26 UTCEG score recompute
  21. 2026-06-11 00:50 UTCEG score recompute
  22. 2026-06-10 02:14 UTCEG score recompute
  23. 2026-06-09 03:38 UTCEG score recompute
  24. 2026-06-08 05:02 UTCEG score recompute
  25. 2026-06-07 06:26 UTCEG score recompute
Show 6 more
  1. 2026-06-06 07:50 UTCEG score recompute
  2. 2026-06-05 09:14 UTCEG score recompute
  3. 2026-06-04 10:38 UTCEG score recompute
  4. 2026-06-03 12:02 UTCEG score recompute
  5. 2026-06-02 13:26 UTCEG score recompute
  6. 2026-06-01 14:49 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47411?
CVE-2026-47411 is a medium vulnerability published on June 1, 2026. praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id} Summary Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/{workspaceid} endpoint is gated only by…
When was CVE-2026-47411 disclosed?
CVE-2026-47411 was first published in the National Vulnerability Database on June 1, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47411 actively exploited?
CVE-2026-47411 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 8.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47411?
CVE-2026-47411 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47411?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47411, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47411

Explore →

Is Your Infrastructure Affected by CVE-2026-47411?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.