CVE-2026-61440
Received Received - Intake

PraisonAI Platform Label Authorization Flaw

Vulnerability report for CVE-2026-61440, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to alter shared label taxonomy and manipulate issue-label associations without owner or admin authorization.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
praisonai platform to 0.1.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

PraisonAI Platform before version 0.1.9 has an authorization flaw where workspace members can rename, recolor, add, or remove shared labels and issue labels without proper ownership or admin approval. This occurs due to missing authorization checks on PATCH, POST, and DELETE endpoints for label-related actions.

Impact Analysis

Attackers with basic workspace access could alter shared labels, remove labels from owner-created issues (making them disappear from filters), or add arbitrary labels. This disrupts workflows, triage states, and compromises issue tracking integrity without requiring admin oversight.

Compliance Impact

This vulnerability could lead to unauthorized data manipulation, potentially violating integrity and access control requirements in GDPR and HIPAA. Unauthorized label changes may obscure critical issue tracking, affecting audit trails and compliance reporting.

Detection Guidance

Check PraisonAI platform versions 0.1.6 through 0.1.8 for unauthorized label modifications. Monitor PATCH /labels/{label_id}, POST /issues/{issue_id}/labels/{label_id}, and DELETE /issues/{issue_id}/labels/{label_id} endpoint logs for suspicious activity by non-admin members.

Mitigation Strategies

Upgrade PraisonAI Platform to version 0.1.9 or later immediately. Review and restrict workspace member permissions to prevent unauthorized label modifications. Audit existing labels and issue-label associations for unauthorized changes.

Executive Summary

PraisonAI Platform before version 0.1.9 has an authorization flaw in label-related endpoints. Workspace members can rename, recolor, add, or remove shared labels and issue labels without proper ownership or admin checks. The system fails to enforce restrictions on PATCH and POST/DELETE endpoints for labels and issue-label links, allowing unauthorized modifications to label taxonomies and issue associations.

Impact Analysis

Attackers with basic workspace access can silently alter shared labels, remove labels from owner-created issues (causing them to disappear from filters or boards), and re-add arbitrary labels. This disrupts workflows, corrupts triage states, and undermines issue tracking integrity without requiring admin approval.

Compliance Impact

This vulnerability could impact compliance by allowing unauthorized modifications to issue labels, potentially altering data classification or access controls. Such unauthorized changes may violate integrity requirements in GDPR (data accuracy) or HIPAA (integrity of health data), depending on the system's use case.

Detection Guidance

Check PraisonAI Platform version with: pip show praisonai-platform. If version is between 0.1.6 and 0.1.8, the system is vulnerable. Review API logs for unauthorized PATCH/POST/DELETE requests to /labels/{label_id} and /issues/{issue_id}/labels/{label_id} endpoints from non-admin members.

Mitigation Strategies

Upgrade PraisonAI Platform to version 0.1.9 or later immediately. Review and restrict workspace member permissions to prevent unauthorized label modifications. Audit existing labels and issue-label associations for unauthorized changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61440. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart