praisonai-platform
PyPI17 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting praisonai-platformpage 1 of 1
- CVE-2026-47399HIGHCVSS 8.8EG 8.8✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID ### Summary PraisonAI Platform's workspace-scoped REST routes contain a systemic object-level authorization flaw that allows an authentica…
- CVE-2026-47405HIGHCVSS 8.8EG 8.8✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership ### Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspac…
- CVE-2026-47406HIGHCVSS 8.1EG 8.1✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks ## Summary **Type:** Insecure Direct Object Reference. The dependency endpoints (`POST/GET /work…
- CVE-2026-47407CRITICALCVSS 0.0EG 0.0✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation ## Summary The Platform server exposes resources under `/api/v1/workspaces/{workspace_id}/...` and protects them with a `require_workspace_member(workspace_…
- CVE-2026-47408MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership ## Summary **Type:** Insecure Direct Object Reference. The `GET /workspaces/{workspace_id}/issues/{issue_id}/activity` endpoint …
- CVE-2026-47409HIGHCVSS 8.1EG 8.1✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role ## Summary **Type:** Authorization bypass enabling owner lockout. The `DELETE /workspaces/{workspace_id}/members/{…
- CVE-2026-47410CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset ## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to …
- CVE-2026-47411MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.1.42026-06-01
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id} ## Summary **Type:** Authorization bypass enabling workspace metadata + settings tampering. The `PATCH /workspaces/…
- CVE-2026-47412HIGHCVSS 8.1EG 8.1✓ Fixed in 0.1.42026-06-01
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id} ## Summary **Type:** Authorization bypass enabling destructive action. The `DELETE /workspaces/{workspace_id}` endpoint is gated only by…
- CVE-2026-47413CRITICALCVSS 9.6EG 9.6✓ Fixed in 0.1.42026-06-01
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members ## Summary **Type:** Privilege escalation / cross-tenant member injection. The `POST /workspaces/{workspace_id}/members` endpoint …
- CVE-2026-47414HIGHCVSS 7.6EG 7.6✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link) ## Summary **Type:** Insecure Direct Object Reference. Five label endpoints — `PATCH /workspaces/{workspace_id}/lab…
- CVE-2026-47415HIGHCVSS 8.3EG 8.3✓ Fixed in 0.1.42026-06-01
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR ## Summary **Type:** Insecure Direct Object Reference. The issue CRUD endpoints (`GET / PATCH / DELETE /wo…
- CVE-2026-47416CRITICALCVSS 9.6EG 9.6✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id} ## Summary **Type:** Vertical privilege escalation. The `PATCH /workspaces/{workspace_id}/members/{user_id}` …
- CVE-2026-47417HIGHCVSS 8.1EG 8.1✓ Fixed in 0.1.42026-06-01
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR ## Summary **Type:** Insecure Direct Object Reference. The comment endpoints (`POST /workspaces/{work…
- CVE-2026-47418HIGHCVSS 8.1EG 8.1✓ Fixed in 0.1.42026-06-01
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR ## Summary **Type:** Insecure Direct Object Reference. The project CRUD endpoints (`GET / PATCH / DELE…
- CVE-2026-47419HIGHCVSS 8.3EG 8.3✓ Fixed in 0.1.42026-06-05
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR ## Summary **Type:** Insecure Direct Object Reference. The agent CRUD endpoints (`GET / PATCH / DELETE /wo…
- CVE-2026-48169HIGHCVSS 8.8EG 8.8✓ Fixed in 0.1.42026-05-29
vulnerable: 0.1.0, 0.1.1, 0.1.2, 0.1.3
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API ### Summary The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects perform…
Check whether praisonai-platform is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for praisonai-platform CVEs against the assets you own.
Start Free Scan →