MEDIUM 6.5 PyPI
GHSA-27p4-pjqv-whgj · CVE-2026-47408 praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership
Modified: 5/29/2026
package
PyPI / praisonai-platform
pkg:pypi/praisonai-platform
CRITICAL 9.8 PyPI
GHSA-3qg8-5g3r-79v5 · CVE-2026-47410 praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset
Modified: 5/29/2026
HIGH 8.1 PyPI
GHSA-4x6r-9v57-3gqw · CVE-2026-47406 praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks
Modified: 5/29/2026
HIGH 7.6 PyPI
GHSA-5jx9-w35f-vp65 · CVE-2026-47414 praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)
Modified: 5/29/2026
HIGH 8.8 PyPI
GHSA-6h6v-6m7w-7vxx · CVE-2026-47399 PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID
Modified: 5/29/2026
CRITICAL 9.6 PyPI
GHSA-c2m8-4gcg-v22g · CVE-2026-47416 praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}
Modified: 5/29/2026
HIGH 8.8 PyPI
GHSA-gv23-xrm3-8c62 · CVE-2026-48169 PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
Modified: 5/29/2026
HIGH 8.8 PyPI
GHSA-h37g-4h4p-9x97 · CVE-2026-47405 PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership
Modified: 5/29/2026
CRITICAL PyPI
GHSA-h8q5-cp56-rr65 · CVE-2026-47407 PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
Modified: 5/29/2026
HIGH 8.1 PyPI
GHSA-w388-2392-px73 · CVE-2026-47409 praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role
Modified: 5/29/2026