CVE-2026-61441
Received Received - Intake

PraisonAI Platform Dependency Deletion Authorization Bypass

Vulnerability report for CVE-2026-61441, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

PraisonAI Platform (praisonai-platform) before 0.1.9 improperly authorizes deletion of issue dependencies. The DELETE dependency route accepts either endpoint of a dependency edge and checks delete permission only against the caller-selected URL issue. A workspace member who cannot delete a dependency through an owner-created issue endpoint (which returns 403) can delete the same dependency edge by targeting a related member-owned issue endpoint, because permission is validated against the member-owned issue's owner. This allows members to bypass owner/admin authorization and remove owner-created issue dependencies.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
praisonai platform to 0.1.9 (exc)
mervinpraison praisonai_platform to 0.1.9 (exc)
mervinpraison praisonai_platform From 0.1.6 (inc) to 0.1.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in PraisonAI Platform versions before 0.1.9 involves improper authorization when deleting issue dependencies. Specifically, the DELETE dependency route accepts either endpoint of a dependency edge and only checks delete permission against the issue selected by the caller. This means a workspace member who cannot delete a dependency through an owner-created issue endpoint (which correctly returns a 403 Forbidden) can bypass this restriction by targeting a related member-owned issue endpoint. Because the system validates permissions against the member-owned issue's owner rather than the original owner, members can remove dependencies created by owners or admins without proper authorization.

Impact Analysis

This vulnerability allows workspace members with limited permissions to bypass owner or admin authorization controls and delete dependencies created by owners. This can disrupt workflow states such as blocks or blocked_by relationships that are expected to be protected by owner permissions. As a result, unauthorized deletion of issue dependencies can lead to workflow inconsistencies, potential data integrity issues, and loss of control over issue relationships within the platform.

Detection Guidance

This vulnerability involves improper authorization checks when deleting issue dependencies via the DELETE dependency route in PraisonAI Platform versions before 0.1.9.

To detect exploitation attempts on your system, you can monitor HTTP DELETE requests to the dependency deletion endpoints, especially those targeting member-owned issue URLs that should not allow deletion of owner-created dependencies.

Commands or methods to detect this might include:

  • Using web server or application logs to search for DELETE requests to dependency endpoints with member-owned issue identifiers.
  • Example command to search logs (assuming logs contain HTTP method and URL):
  • grep -i 'DELETE' /path/to/access.log | grep '/dependency/'
  • Review responses for unexpected 204 success codes on member-owned issue endpoints where deletion should be forbidden.
  • Implement monitoring or alerting on unusual DELETE requests from non-admin users targeting dependencies.
Mitigation Strategies

The primary mitigation step is to upgrade the PraisonAI Platform to version 0.1.9 or later, where this authorization bypass vulnerability has been fixed.

Until the upgrade can be applied, consider restricting DELETE requests to dependency endpoints to trusted users only, and monitor for suspicious deletion activity as a temporary control.

Additionally, review and tighten authorization checks on dependency deletion routes to ensure permissions are validated against the primary issue owner rather than the caller-selected URL issue.

Compliance Impact

The provided context and resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart