PraisonAI Platform, Insecure Direct Object Reference (IDOR), CVE-ID: Pending (Critical) -DC-Jun2026-62

Listen to this Post

Intro – How the CVE works (approx. 30 lines):
The vulnerability exists in PraisonAI Platform’s issue management endpoints. The routes `GET / PATCH / DELETE /workspaces/{workspace_id}/issues/{issue_id}` are protected only by require_workspace_member(workspace_id), which verifies that the authenticated user belongs to the workspace ID supplied in the URL path. After this membership gate passes, the handler calls IssueService.get(issue_id), IssueService.update(issue_id, ...), or IssueService.delete(issue_id). The `IssueService` methods perform a direct primary‑key lookup on the `issues` table using only the `issue_id` – without any `workspace_id` constraint.
Thus, an attacker who is a member of any workspace (e.g., W_attacker) can supply a target issue ID `I_T` that belongs to a different workspace W_target. The membership check succeeds because the attacker is indeed a member of W_attacker. The subsequent database operation loads the issue row by its UUID alone, ignoring the workspace mismatch. Consequently, the attacker can read, modify, or delete issues from any workspace, provided they can obtain or guess a valid issue UUID.
The root cause is a classic Insecure Direct Object Reference (IDOR): the resource lookup is not scoped to the workspace context that was used for authorization. The same codebase contains a safe example – `MemberService` uses a composite key `(workspace_id, user_id)` – proving the developer knew the pattern but failed to apply it to issues, agents, projects, comments, and labels.
The `update_issue` handler also allows overwriting project_id, enabling the attacker to reassign the foreign issue to an arbitrary project, further expanding the write primitive. All actions are logged under `W_attacker` instead of W_target, so the victim workspace’s audit trail does not record the tampering. Exploitation requires only a valid JWT (any workspace membership) and a known issue UUID, which leaks through activity feeds, comments, error messages, or exported dumps. CVSS 8.1 (High) – network attack, low complexity, low privileges, no user interaction, high confidentiality/integrity, low availability.

DailyCVE Form:

Platform: PraisonAI Platform
Version: Unspecified (multi-tenant)
Vulnerability: Workspace IDOR (CRUD)
Severity: High (CVSS 8.1)
Date: 2026-06-01

Prediction: Patch within 90days

What Undercode Say (Analytics & Commands):

Enumerate issues by harvesting UUIDs from activity feed
curl -X GET "https://target.com/api/workspaces/W_attacker/issues/I_TARGET" \
-H "Authorization: Bearer <attacker_jwt>" | jq '., .description'
Exploit write – close foreign issue and reassign project
curl -X PATCH "https://target.com/api/workspaces/W_attacker/issues/I_TARGET" \
-H "Authorization: Bearer <attacker_jwt>" \
-H "Content-Type: application/json" \
-d '{"status":"closed","project_id":"arbitrary_project_uuid"}'
Delete foreign issue
curl -X DELETE "https://target.com/api/workspaces/W_attacker/issues/I_TARGET" \
-H "Authorization: Bearer <attacker_jwt>"
SQLAlchemy query that should have been used (fixed version)
SELECT FROM issues WHERE id = :issue_id AND workspace_id = :workspace_id;

Exploit:

  • Attacker registers or joins any workspace, obtains a valid JWT.
  • Obtains a target issue UUID (e.g., from activity feed, comment threads, error messages, or screenshots).
  • Sends authenticated requests to `GET /workspaces/{own_workspace}/issues/{target_uuid}` → reads full issue content.
  • Sends `PATCH` to same URL with malicious JSON → modifies , description, status, priority, assignee, or project_id.
  • Sends `DELETE` to same URL → removes the issue from the foreign workspace.
  • All actions are logged under attacker’s workspace, evading detection in the victim’s audit logs.

Protection:

  • Change `IssueService.get(issue_id)` to `IssueService.get(workspace_id, issue_id)` using a composite WHERE clause.
  • Update handlers to pass `workspace_id` to the service methods.
  • Apply the same fix to AgentService, ProjectService, CommentService, and LabelService.
  • Return HTTP 404 when the scoped lookup returns no row – indistinguishable from non‑existent issue.
  • Consider using row‑level security or repository patterns that enforce tenant isolation automatically.

Impact:

  • Confidentiality: Full issue bodies (including customer PII, credentials, internal roadmap) exposed across tenants.
  • Integrity: Attackers can silently edit, close, or reassign any issue to misleading projects, corrupting workflow.
  • Availability: Any issue can be deleted, destroying evidence or customer reports.
  • Audit Bypass: Malicious actions are recorded under the attacker’s workspace, not the victim’s, hindering forensic analysis.
  • Lateral Movement: Write primitive allows overwriting project_id, potentially leading to further IDORs in project‑scoped resources.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top