CVE-2026-61442
Received Received - Intake

Authorization Bypass in PraisonAI Platform

Vulnerability report for CVE-2026-61442, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: VulnCheck

Description

PraisonAI Platform (praisonai-platform) before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign lead_id to their own user id and then delete the owner-created project, bypassing the delete route's owner/admin permission check.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
praisonai praisonai_platform to 0.1.9 (exc)
praisonai praisonai_platform From 0.1.4 (inc) to 0.1.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the PraisonAI Platform versions before 0.1.9, where the system fails to properly enforce owner or admin authorization on PATCH routes for projects, issues, and agents.

While DELETE routes require owner/admin permissions, PATCH routes only require a workspace-member role, which is less restrictive.

This inconsistency allows any workspace member to modify records created by owners, such as reassigning the lead of a project to themselves and then deleting that project, bypassing the intended permission checks.

Impact Analysis

The vulnerability can lead to unauthorized modification and deletion of important resources within the PraisonAI Platform.

  • Data loss due to unauthorized deletion of owner-created projects.
  • Integrity violations by allowing workspace members to change ownership or lead assignments on projects, issues, and agents.
  • Disruption of work tracking and agent behavior, potentially impacting project management and operational workflows.
Detection Guidance

This vulnerability can be detected by monitoring and testing the PATCH routes for projects, issues, and agents in the PraisonAI Platform to see if workspace members can modify owner-created records without proper authorization.

Specifically, you can attempt to use PATCH requests to reassign the lead_id of a project or ownership fields of issues and agents to your own user ID as a workspace member and then verify if you are able to perform these changes without owner/admin privileges.

Commands to test this might include using curl or similar HTTP clients to send PATCH requests to the relevant API endpoints with modified ownership fields and observing if the changes are accepted.

  • Example curl command to test project lead reassignment via PATCH:
  • curl -X PATCH https://your-praisonai-instance/api/projects/{project_id} -H "Authorization: Bearer <workspace_member_token>" -H "Content-Type: application/json" -d '{"lead_id": "<your_user_id>"}'
  • After successful reassignment, attempt to delete the project to confirm if the authorization bypass exists.
Mitigation Strategies

Immediate mitigation steps include upgrading the PraisonAI Platform to version 0.1.9 or later, where the authorization checks on PATCH routes have been fixed to enforce owner/admin permissions consistently.

If upgrading is not immediately possible, restrict workspace member permissions to prevent them from accessing PATCH routes that modify ownership fields.

Additionally, monitor and audit PATCH requests to detect unauthorized modifications and consider implementing temporary access controls or network-level restrictions to limit exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart