Praisonai Platform: Four High-Severity IDOR and Destructive Action Flaws Disclosed
Four high-severity vulnerabilities were disclosed in the Praisonai platform on June 1, 2026, allowing unauthorized users to delete workspaces or access/modify data across workspaces.
Key findings
- Four high-severity vulnerabilities disclosed together for Praisonai platform on June 1, 2026.
- CVE-2026-47412 allows any workspace member to delete the entire workspace.
- CVE-2026-47415 enables cross-workspace reading, updating, and deleting of issues.
- CVE-2026-47417 permits cross-workspace reading and posting of comments.
- CVE-2026-47418 allows unauthorized access and modification of projects across workspaces.
On June 1, 2026, a cluster of four high-severity vulnerabilities was disclosed for the Praisonai platform, developed by Praison. These flaws, all disclosed within minutes of each other, primarily revolve around authorization bypasses and insecure direct object references (IDOR), enabling significant data exposure and destructive actions.
Destructive Workspace Deletion
One critical vulnerability, tracked as CVE-2026-47412, allows any member of a Praisonai workspace to delete the entire workspace. The DELETE /workspaces/{id} endpoint, intended for administrative control, is only protected by a check ensuring the user is a member of the workspace. This insufficient authorization means any authenticated user with basic member privileges can initiate a complete deletion of the workspace, including all associated projects and issues.
Cross-Workspace Data Manipulation (IDOR)
The remaining three vulnerabilities (CVE-2026-47415, CVE-2026-47417, and CVE-2026-47418) are all instances of Insecure Direct Object References (IDOR). These flaws affect the platform's handling of issues, comments, and projects within workspaces.
CVE-2026-47415 specifically targets issue endpoints. While the endpoints are protected by a check for workspace membership, the subsequent retrieval of issues via IssueService.get(issue_id) uses a primary key lookup without verifying workspace ownership. This allows any workspace member to read, update, or delete issues belonging to *other* workspaces.
Similarly, CVE-2026-47417 impacts comment endpoints. The POST and GET operations for comments on issues are also only gated by workspace membership. The CommentService then processes the issue_id without confirming that the issue belongs to the user's current workspace, leading to cross-workspace comment reading and posting.
CVE-2026-47418 addresses a flaw in project endpoints. The project CRUD operations and statistics endpoints (GET / PATCH / DELETE /workspaces/{workspace_id}/projects/{project_id}) suffer from the same lack of workspace ownership verification. Any member can access or modify projects in other workspaces by exploiting the ProjectService.get(project_id) lookup.
Impact and Response
The combined impact of these vulnerabilities is severe. Unauthorized users could potentially delete entire workspaces, leading to complete data loss. Furthermore, the IDOR flaws enable attackers to access, modify, or delete sensitive information across different workspaces, compromising data integrity and confidentiality. As of the disclosure, specific patch versions were not detailed, but users are advised to consult Praison's official advisories for the latest information on affected versions and available fixes.
These vulnerabilities highlight critical gaps in Praisonai's authorization and access control mechanisms. Users of the Praisonai platform should prioritize updating to the latest available versions once patches are released and review their workspace member permissions.