CVE-2026-47414

HIGHPre-NVD 7.67.6
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.6 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 88% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.6
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.6Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)

Summary

Type: Insecure Direct Object Reference. Five label endpoints — PATCH /workspaces/{workspace_id}/labels/{label_id}, DELETE .../labels/{label_id}, POST .../issues/{issue_id}/labels/{label_id}, DELETE .../issues/{issue_id}/labels/{label_id}, GET .../issues/{issue_id}/labels — gate access on require_workspace_member(workspace_id) only and pass URL-supplied label_id and issue_id straight through to LabelService without verifying either belongs to the workspace. File: src/praisonai-platform/praisonai_platform/services/label_service.py, lines 35-100; route handlers at src/praisonai-platform/praisonai_platform/api/routes/labels.py, lines 42-106. Root cause: identical pattern to the agent / issue / project / comment IDORs in this codebase: the route's workspace_id is used as a membership predicate but never threaded through to the service layer. LabelService.get(label_id) runs session.get(IssueLabel, label_id) with no workspace filter; update/delete inherit the gap; add_to_issue(issue_id, label_id) and remove_from_issue(issue_id, label_id) write/delete association rows without verifying either ID belongs to the membership-checked workspace; list_for_issue(issue_id) reads them.

Affected Code

File 1: src/praisonai-platform/praisonai_platform/services/label_service.py, lines 35-100.

class LabelService:
    ...

async def get(self, label_id: str) -> Optional[IssueLabel]: return await self._session.get(IssueLabel, label_id) # <-- BUG: no workspace_id predicate

async def update( self, label_id: str, ... ) -> Optional[IssueLabel]: label = await self.get(label_id) # <-- inherits the gap ...

async def delete(self, label_id: str) -> bool: label = await self.get(label_id) # <-- inherits the gap ...

async def add_to_issue(self, issue_id: str, label_id: str) -> None: # writes a row in issue_label association table; no workspace check on either id

async def remove_from_issue(self, issue_id: str, label_id: str) -> None: # deletes from association table; no workspace check on either id

async def list_for_issue(self, issue_id: str) -> list[IssueLabel]: # reads from association table; no workspace check on issue_id

File 2: src/praisonai-platform/praisonai_platform/api/routes/labels.py, lines 42-106.

@router.patch("/labels/{label_id}", response_model=LabelResponse)
async def update_label(workspace_id: str, label_id: str, body: LabelUpdate, ...):
    svc = LabelService(session)
    label = await svc.update(label_id, body.name, body.color)        # <-- writes any label in the DB
    ...

@router.delete("/labels/{label_id}", ...) async def delete_label(workspace_id: str, label_id: str, ...): deleted = await svc.delete(label_id) # <-- deletes any label in the DB ...

@router.post("/issues/{issue_id}/labels/{label_id}", ...) async def add_label_to_issue(workspace_id: str, issue_id: str, label_id: str, ...): await svc.add_to_issue(issue_id, label_id) # <-- attaches any label to any issue cross-workspace

@router.delete("/issues/{issue_id}/labels/{label_id}", ...) async def remove_label_from_issue(workspace_id: str, issue_id: str, label_id: str, ...): await svc.remove_from_issue(issue_id, label_id) # <-- detaches any label from any issue cross-workspace

@router.get("/issues/{issue_id}/labels", ...) async def list_issue_labels(workspace_id: str, issue_id: str, ...): labels = await svc.list_for_issue(issue_id) # <-- reads label assignments for any issue

Why it's wrong: the workspace_id URL segment is treated as a UI hint; the actual label_id and issue_id lookups query the database without a workspace constraint. The MemberService in this same codebase uses a composite key correctly; the label service does not. The add_to_issue and remove_from_issue paths are particularly nasty because they touch *two* unverified IDs at once: an attacker can attach a foreign workspace's label to a foreign workspace's issue (or detach the legitimate labels), corrupting both sides of an association the attacker has no business touching.

Exploit Chain

  • Attacker registers a workspace W_attacker (member) and harvests a foreign-workspace label_id L_T and a foreign-workspace issue_id I_T. Both leak via list_labels responses (which include label IDs — but only for W_attacker; for the target the IDs come from issue records that include label associations, activity feeds, exported dumps, error messages). State: attacker holds L_T and I_T.
  • Attacker authenticates and sends PATCH /workspaces/W_attacker/labels/L_T with {"name": "", "color": "#000000"}. require_workspace_member(W_attacker, attacker) passes. LabelService.update(L_T, ...) loads the foreign label and renames it. State: every issue across the foreign workspace that bears this label now displays the attacker-chosen name and colour.
  • Attacker sends DELETE /workspaces/W_attacker/labels/L_T. LabelService.delete(L_T) deletes the foreign label, dropping every issue-label association row that referenced it (cascade or orphan, depending on schema). State: foreign workspace's labels are gone or corrupted.
  • Attacker sends POST /workspaces/W_attacker/issues/I_T/labels/L_T2 to attach foreign label L_T2 to foreign issue I_T. LabelService.add_to_issue(I_T, L_T2) writes the association row regardless of either ID's workspace. State: the foreign issue now carries an arbitrary attacker-chosen label, which surfaces in every filter/search/board view in the foreign workspace's UI.
  • Attacker sends DELETE /workspaces/W_attacker/issues/I_T/labels/L_legit to strip the legitimate label off the foreign issue. State: triagers can no longer find the issue via label filters.
  • Attacker sends GET /workspaces/W_attacker/issues/I_T/labels to read the current label set on any foreign issue. State: the attacker fingerprints the foreign workspace's triage taxonomy.
  • Final state: with one workspace-member token plus harvested foreign IDs, the attacker rewrites and deletes other workspaces' labels, attaches/detaches arbitrary labels on other workspaces' issues, and reads triage state across the deployment.

Security Impact

Severity: sec-moderate. CVSS 6.3: network attack, low complexity, low privileges, no user interaction, scope unchanged. The integrity damage is high (rename/delete of foreign labels is permanent and silent; cross-workspace label-attachment corrupts UI filters), confidentiality is low (label names are not the most sensitive field but do leak triage taxonomy), availability low (foreign workspaces may lose triage visibility into their own issues until the labels are restored). Attacker capability: rename and delete any label in the multi-tenant deployment; attach any label to any issue; detach any label from any issue; list label assignments for any issue. Combined with the companion IssueService IDOR (separate advisory), the attacker can also modify the underlying issue, making the cross-workspace tampering very difficult to detect. Preconditions: praisonai-platform is deployed multi-tenant; the attacker has any membership token; target IDs are known or guessable. Differential: source-inspection-verified end-to-end. The asymmetry between LabelService.list_for_workspace(workspace_id) (correctly workspace-scoped) and LabelService.get(label_id) / add_to_issue(issue_id, label_id) (no workspace check) confirms the gap. With the suggested fix below, label and issue IDs that do not belong to the membership-checked workspace return 404, and the attacker cannot touch them.

Suggested Fix

Make every single-row label lookup take the workspace predicate; verify both issue_id and label_id belong to workspace_id for the association routes.

--- a/src/praisonai-platform/praisonai_platform/services/label_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/label_service.py
@@ -33,7 +33,12 @@ class LabelService:
         return label
  • async def get(self, label_id: str) -> Optional[IssueLabel]:
  • return await self._session.get(IssueLabel, label_id)
+ async def get(self, workspace_id: str, label_id: str) -> Optional[IssueLabel]: + stmt = select(IssueLabel).where( + IssueLabel.id == label_id, + IssueLabel.workspace_id == workspace_id, + ) + return (await self._session.execute(stmt)).scalar_one_or_none()
  • async def add_to_issue(self, issue_id: str, label_id: str) -> None:
+ async def add_to_issue(self, workspace_id: str, issue_id: str, label_id: str) -> None: + # Verify both ids belong to workspace_id before writing the association row.

Then update the route handlers in routes/labels.py to thread workspace_id through every call. The same single-key-lookup pattern is filed separately for AgentService, IssueService, ProjectService, and CommentService — each is its own exploitable IDOR.

CVSS v3
7.6
EG Score
7.6(low)
EPSS
11.7%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47414(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
praisonai-platform0.1.0, 0.1.1, 0.1.2, 0.1.30.1.4

Data Freshness Timeline

(refreshed 3× in last 7d / 23× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 01:45 UTCEG score recompute
  2. 2026-07-14 13:43 UTCEG score recompute
  3. 2026-07-11 16:52 UTCEG score recompute
  4. 2026-07-08 17:15 UTCEG score recompute
  5. 2026-07-02 18:55 UTCEG score recompute
  6. 2026-07-02 03:41 UTCEG score recompute
  7. 2026-07-01 14:04 UTCEG score recompute
  8. 2026-07-01 01:17 UTCEG score recompute
  9. 2026-06-30 01:11 UTCEG score recompute
  10. 2026-06-29 12:25 UTCEG score recompute
  11. 2026-06-28 19:41 UTCEG score recompute
  12. 2026-06-28 06:54 UTCEG score recompute
  13. 2026-06-27 18:08 UTCEG score recompute
  14. 2026-06-27 05:21 UTCEG score recompute
  15. 2026-06-26 16:10 UTCEG score recompute
  16. 2026-06-25 19:04 UTCEG score recompute
  17. 2026-06-25 06:16 UTCEG score recompute
  18. 2026-06-24 15:26 UTCEG score recompute
  19. 2026-06-24 02:40 UTCEG score recompute
  20. 2026-06-18 22:19 UTCEG score recompute
  21. 2026-06-18 01:47 UTCEG score recompute
  22. 2026-06-17 13:01 UTCEG score recompute
  23. 2026-06-17 00:07 UTCEG score recompute
  24. 2026-06-16 11:21 UTCEG score recompute
  25. 2026-06-15 22:35 UTCEG score recompute
Show 32 more
  1. 2026-06-15 09:49 UTCEG score recompute
  2. 2026-06-14 23:18 UTCEPSS rescore
  3. 2026-06-14 20:52 UTCEG score recompute
  4. 2026-06-14 08:06 UTCEG score recompute
  5. 2026-06-13 23:00 UTCEPSS rescore
  6. 2026-06-13 19:19 UTCEG score recompute
  7. 2026-06-13 06:22 UTCEG score recompute
  8. 2026-06-12 23:12 UTCEPSS rescore
  9. 2026-06-12 17:34 UTCEG score recompute
  10. 2026-06-12 04:46 UTCEG score recompute
  11. 2026-06-11 16:00 UTCEG score recompute
  12. 2026-06-11 03:14 UTCEG score recompute
  13. 2026-06-10 14:28 UTCEG score recompute
  14. 2026-06-10 01:42 UTCEG score recompute
  15. 2026-06-09 12:56 UTCEG score recompute
  16. 2026-06-09 00:10 UTCEG score recompute
  17. 2026-06-08 11:24 UTCEG score recompute
  18. 2026-06-07 22:38 UTCEG score recompute
  19. 2026-06-07 09:52 UTCEG score recompute
  20. 2026-06-06 21:06 UTCEG score recompute
  21. 2026-06-06 08:20 UTCEG score recompute
  22. 2026-06-05 19:34 UTCEG score recompute
  23. 2026-06-05 06:48 UTCEG score recompute
  24. 2026-06-04 18:02 UTCEG score recompute
  25. 2026-06-04 05:16 UTCEG score recompute
  26. 2026-06-03 16:30 UTCEG score recompute
  27. 2026-06-03 03:44 UTCEG score recompute
  28. 2026-06-02 14:58 UTCEG score recompute
  29. 2026-06-02 02:12 UTCEG score recompute
  30. 2026-06-01 13:26 UTCEG score recompute
  31. 2026-06-01 00:40 UTCEG score recompute
  32. 2026-05-29 23:13 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47414?
CVE-2026-47414 is a high vulnerability published on May 29, 2026. praisonai-platform: Label endpoints' unchecked labelid/issueid enable cross-workspace label IDOR (edit, delete, link) Summary Type: Insecure Direct Object Reference. Five label endpoints — PATCH /workspaces/{workspaceid}/labels/{labelid}, DELETE .../labels/{labelid}, POST…
When was CVE-2026-47414 disclosed?
CVE-2026-47414 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47414 actively exploited?
CVE-2026-47414 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 11.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47414?
CVE-2026-47414 has a CVSS v4.0 base score of 7.6 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47414?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47414, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47414

Explore →

Is Your Infrastructure Affected by CVE-2026-47414?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.