{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-platform--0.1.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai-platform (\u003c= 0.1.2)"],"_cs_severities":["high"],"_cs_tags":["authorization","privilege-escalation","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Praison AI"],"content_html":"\u003cp\u003eAn authorization bypass vulnerability exists in the praisonai-platform version 0.1.2 and earlier. The vulnerability resides in the \u003ccode\u003eDELETE /workspaces/{workspace_id}/members/{user_id}\u003c/code\u003e endpoint. Due to insufficient access controls, any member of a workspace, regardless of their role, can remove any other member, including the workspace owner. This is because the endpoint is only gated by \u003ccode\u003erequire_workspace_member(workspace_id)\u003c/code\u003e with a default \u003ccode\u003emin_role=\u0026quot;member\u0026quot;\u003c/code\u003e. There is no caller-role check, no target-role check, and no protection against removing the last owner. This lack of proper authorization checks allows a malicious member to lock out the legitimate owner and potentially take over the workspace.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker becomes a member of workspace \u003ccode\u003eW\u003c/code\u003e with the \u0026ldquo;member\u0026rdquo; role.\u003c/li\u003e\n\u003cli\u003eAttacker enumerates members of workspace \u003ccode\u003eW\u003c/code\u003e via \u003ccode\u003eGET /workspaces/W/members\u003c/code\u003e to discover the workspace owner\u0026rsquo;s \u003ccode\u003euser_id\u003c/code\u003e (\u003ccode\u003eO_id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003eDELETE /workspaces/W/members/O_id\u003c/code\u003e request with their valid JWT.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erequire_workspace_member(W, attacker)\u003c/code\u003e check passes, as the attacker is a member of the workspace.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMemberService.remove(W, O_id)\u003c/code\u003e is called, which removes the owner\u0026rsquo;s member record from the database.\u003c/li\u003e\n\u003cli\u003eThe owner attempts to access workspace resources, such as \u003ccode\u003eGET /workspaces/W/...\u003c/code\u003e, but \u003ccode\u003erequire_workspace_member(W, O_id)\u003c/code\u003e now fails, resulting in a 403 error.\u003c/li\u003e\n\u003cli\u003eThe legitimate owner is locked out of their own workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially combine this with other vulnerabilities (e.g., \u003ccode\u003eupdate_member_role\u003c/code\u003e, \u003ccode\u003edelete_workspace\u003c/code\u003e) to promote themselves to owner and/or completely wipe the workspace, further exacerbating the impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any member of a workspace to remove any other member, including the workspace owner. This leads to a permanent denial-of-service for the legitimate owner, as they are locked out of their own workspace. An attacker can potentially gain full control of the workspace and its resources. This vulnerability is rated as sec-high, with a CVSS score of 8.1. Version 0.1.2 and earlier are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch suggested in the advisory, specifically modifying \u003ccode\u003esrc/praisonai-platform/praisonai_platform/api/routes/workspaces.py\u003c/code\u003e to include stricter role checks and owner protection logic.\u003c/li\u003e\n\u003cli\u003eImplement a detection rule to identify unauthorized attempts to remove workspace owners, focusing on \u003ccode\u003ewebserver\u003c/code\u003e logs and the \u003ccode\u003eDELETE /workspaces/{workspace_id}/members/{user_id}\u003c/code\u003e endpoint (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eReview and harden other workspace-mutation endpoints to ensure proper authorization checks, as the advisory mentions similar vulnerabilities in companion endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T22:57:51Z","date_published":"2026-05-29T22:57:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-platform-takeover/","summary":"An authorization bypass vulnerability exists in praisonai-platform where any member can remove any other member, including the workspace owner, due to missing role checks and owner protection logic, allowing an attacker to lock the legitimate owner out of their own workspace, leading to a permanent denial-of-service and potential workspace takeover (CVE-2026-47409).","title":"Praison AI Platform Missing Authorization Leads to Workspace Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-platform-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai-platform (\u003c= 0.1.2)"],"_cs_severities":["critical"],"_cs_tags":["idor","privilege-escalation","cross-tenant-access","fastapi"],"_cs_type":"threat","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI Platform is susceptible to critical vulnerabilities stemming from insufficient access controls and role enforcement. The platform exposes resources under \u003ccode\u003e/api/v1/workspaces/{workspace_id}/...\u003c/code\u003e, intending to protect them with a \u003ccode\u003erequire_workspace_member(workspace_id)\u003c/code\u003e FastAPI dependency. However, this dependency only validates the \u003ccode\u003eworkspace_id\u003c/code\u003e in the URL prefix, neglecting to verify the resource\u0026rsquo;s own \u003ccode\u003eworkspace_id\u003c/code\u003e. This oversight enables a malicious actor to manipulate the URL, accessing resources across different workspaces. Furthermore, member-management routes lack proper role enforcement, allowing basic members to elevate their privileges to admin or owner. Open registration without email verification at \u003ccode\u003e/api/v1/auth/register\u003c/code\u003e and a default server bind to \u003ccode\u003e0.0.0.0:8000\u003c/code\u003e further exacerbate the risk. Successful exploitation allows attackers to read, update, or delete resources across workspaces, escalate privileges, and potentially take over accounts and workspaces. The vulnerability affects praisonai-platform versions 0.1.2 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers an account via the open \u003ccode\u003e/api/v1/auth/register\u003c/code\u003e endpoint to obtain a valid bearer token.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target workspace ID and a resource ID (agent, issue, project, etc.) within that workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to \u003ccode\u003e/api/v1/workspaces/{attacker_workspace_id}/{resource_type}/{target_resource_id}\u003c/code\u003e, substituting \u003ccode\u003e{attacker_workspace_id}\u003c/code\u003e with their own workspace ID and \u003ccode\u003e{target_resource_id}\u003c/code\u003e with the target resource ID.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erequire_workspace_member\u003c/code\u003e dependency checks if the attacker is a member of the attacker\u0026rsquo;s workspace, which passes.\u003c/li\u003e\n\u003cli\u003eThe service layer retrieves the target resource based solely on the \u003ccode\u003etarget_resource_id\u003c/code\u003e, bypassing workspace context validation.\u003c/li\u003e\n\u003cli\u003eThe attacker reads, modifies, or deletes the cross-tenant resource. For example, \u003ccode\u003ePATCH /api/v1/workspaces/{attacker_workspace_id}/agents/{target_agent_id}\u003c/code\u003e modifies the target agent\u0026rsquo;s instructions.\u003c/li\u003e\n\u003cli\u003eA low-privileged member uses the \u003ccode\u003ePATCH /{workspace_id}/members/{user_id}\u003c/code\u003e route to promote themself to \u003ccode\u003eadmin\u003c/code\u003e due to missing role checks.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the original owner and assumes full control of the workspace.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can have severe consequences. Any registered user can read every agent, issue, project, label, comment, and dependency across all workspaces. Sensitive information such as API keys and connection strings stored within \u003ccode\u003eagent.instructions\u003c/code\u003e and \u003ccode\u003eagent.runtime_config\u003c/code\u003e fields are exposed. Malicious actors can rewrite \u003ccode\u003eagent.instructions\u003c/code\u003e to exfiltrate conversations or manipulate behavior. Additionally, attackers can reassign issues, edit project metadata, and delete critical resources, leading to data loss and service disruption. Basic members can escalate their privileges to admin, evict the owner, and seize control of workspaces. The default deployment configuration exposes the platform to network-based attacks, amplifying the impact of the vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix outlined in the advisory to re-scope every nested-resource lookup to the URL workspace to prevent cross-workspace IDOR vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement explicit \u003ccode\u003emin_role\u003c/code\u003e arguments on member-management routes to enforce role-based access control and prevent unauthorized privilege escalation.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/api/v1/workspaces/{workspace_id}/agents/{agent_id}\u003c/code\u003e and other nested-resource routes using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting privilege escalation attempts via the \u003ccode\u003ePATCH /{workspace_id}/members/{user_id}\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eBlock registration from untrusted networks until email verification is implemented.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T22:35:47Z","date_published":"2026-05-29T22:35:47Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-idor-privesc/","summary":"PraisonAI Platform is vulnerable to cross-workspace IDOR and member-role privilege escalation, allowing unauthorized users to read, update, or delete resources across workspaces, escalate privileges, and potentially take over accounts and workspaces due to insufficient access controls and role enforcement.","title":"PraisonAI Platform Cross-Workspace IDOR and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-idor-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Praisonai-Platform (\u003c= 0.1.2)","version":"https://jsonfeed.org/version/1.1"}