praisonai-platform: IDOR exposes cross-tenant activity logs — MEDIUM (CVE-2026-47408)

Q: Is CVE-2026-47408 actively exploited?

No confirmed active exploitation of CVE-2026-47408 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-47408?

1. Upgrade to praisonai-platform 0.1.4, which adds a workspace-scoped IssueService.get() guard before serving activity data. 2. If immediate patching is blocked, apply network-level controls to restrict the /workspaces/*/issues/*/activity endpoint to authenticated internal clients only. 3. Audit API access logs for requests where workspace_id in the URL path differs from the workspace that owns the queried issue_id—these are exploitation indicators. 4. Conduct a full authorization audit of all API endpoints in the platform given the pattern of 59 CVEs; apply the same workspace-scoped guard pattern used in list_workspace_activity to every issue-scoped route. 5. Treat all issue UUIDs as potentially enumerated and review whether sensitive AI agent configuration, credentials, or workflow data entered issue fields or comments.

Q: What systems are affected by CVE-2026-47408?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, AI project management systems.

Q: What is the CVSS score for CVE-2026-47408?

CVE-2026-47408 has a CVSS v3.1 base score of 6.5 (MEDIUM).

CISO Take

A missing workspace ownership check in PraisonAI Platform's issue-activity API lets any authenticated workspace member silently read the full activity log of issues belonging to any other tenant by substituting a foreign issue UUID in the request path. Activity logs capture actor identities, action types, and before/after field values for every tracked change—giving an attacker a high-fidelity view of another organization's AI agent workflows, team members, and any sensitive operational data embedded in issue histories. The package carries 59 additional CVEs, signaling a systemic pattern of insufficient authorization controls that multiplies the blast radius for multi-tenant deployments. Upgrade to praisonai-platform 0.1.4 immediately; until patched, restrict API access to trusted network segments and audit logs for requests where the workspace_id in the URL path does not match the workspace that owns the queried issue_id.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity (CVSS 6.5) in isolation, but elevated in multi-tenant AI agent deployments where tenant isolation is a hard security boundary. Exploitation is trivial—a single authenticated GET request with a known issue UUID is sufficient, requiring no elevated privileges, no user interaction, and no specialized tooling. The asymmetry in the codebase (the workspace-level endpoint is correctly scoped; only the issue-level variant is not) suggests the gap was introduced incrementally and may not be the only such omission. The 59 other CVEs in the same package reinforce that authorization controls are applied inconsistently across the codebase.

Attack Kill Chain

Initial Access

Attacker registers on the multi-tenant PraisonAI Platform and obtains a valid workspace membership token—no elevated privileges or social engineering required.

AML.T0012

UUID Discovery

Attacker harvests a target issue UUID from any available side channel: companion issue-IDOR, UUID namespace enumeration, or incidental disclosure.

AML.T0006

IDOR Exploitation

Attacker submits GET /workspaces/{own_workspace}/issues/{foreign_uuid}/activity; the workspace membership gate passes but the database query executes without a workspace constraint, returning the full foreign activity log.

AML.T0049

Intelligence Extraction

Response exposes cross-tenant member identities, AI agent workflow patterns, triage sequences, and before/after field values from the details blob—enabling targeted follow-on attacks against the victim organization.

AML.T0087

Initial Access

Attacker registers on the multi-tenant PraisonAI Platform and obtains a valid workspace membership token—no elevated privileges or social engineering required.

AML.T0012

UUID Discovery

Attacker harvests a target issue UUID from any available side channel: companion issue-IDOR, UUID namespace enumeration, or incidental disclosure.

AML.T0006

IDOR Exploitation

Attacker submits GET /workspaces/{own_workspace}/issues/{foreign_uuid}/activity; the workspace membership gate passes but the database query executes without a workspace constraint, returning the full foreign activity log.

AML.T0049

Intelligence Extraction

Response exposes cross-tenant member identities, AI agent workflow patterns, triage sequences, and before/after field values from the details blob—enabling targeted follow-on attacks against the victim organization.

AML.T0087

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
praisonai-platform	pip	<= 0.1.2	`0.1.4`
1 dependents 86% patched ~0d to patch Full package profile →

Do you use praisonai-platform? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Upgrade to praisonai-platform 0.1.4, which adds a workspace-scoped IssueService.get() guard before serving activity data.
If immediate patching is blocked, apply network-level controls to restrict the /workspaces/*/issues/*/activity endpoint to authenticated internal clients only.
Audit API access logs for requests where workspace_id in the URL path differs from the workspace that owns the queried issue_id—these are exploitation indicators.
Conduct a full authorization audit of all API endpoints in the platform given the pattern of 59 CVEs; apply the same workspace-scoped guard pattern used in list_workspace_activity to every issue-scoped route.
Treat all issue UUIDs as potentially enumerated and review whether sensitive AI agent configuration, credentials, or workflow data entered issue fields or comments.

Classification

Auth Bypass Data Extraction Privacy Violation Agent API AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application AML.T0087 - Gather Victim Identity Information

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1 - AI system design and development

NIST AI RMF

GOVERN 6.2 - Policies, processes, and practices for AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-47408?

A missing workspace ownership check in PraisonAI Platform's issue-activity API lets any authenticated workspace member silently read the full activity log of issues belonging to any other tenant by substituting a foreign issue UUID in the request path. Activity logs capture actor identities, action types, and before/after field values for every tracked change—giving an attacker a high-fidelity view of another organization's AI agent workflows, team members, and any sensitive operational data embedded in issue histories. The package carries 59 additional CVEs, signaling a systemic pattern of insufficient authorization controls that multiplies the blast radius for multi-tenant deployments. Upgrade to praisonai-platform 0.1.4 immediately; until patched, restrict API access to trusted network segments and audit logs for requests where the workspace_id in the URL path does not match the workspace that owns the queried issue_id.

Is CVE-2026-47408 actively exploited?

No confirmed active exploitation of CVE-2026-47408 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47408?

1. Upgrade to praisonai-platform 0.1.4, which adds a workspace-scoped IssueService.get() guard before serving activity data. 2. If immediate patching is blocked, apply network-level controls to restrict the /workspaces/*/issues/*/activity endpoint to authenticated internal clients only. 3. Audit API access logs for requests where workspace_id in the URL path differs from the workspace that owns the queried issue_id—these are exploitation indicators. 4. Conduct a full authorization audit of all API endpoints in the platform given the pattern of 59 CVEs; apply the same workspace-scoped guard pattern used in list_workspace_activity to every issue-scoped route. 5. Treat all issue UUIDs as potentially enumerated and review whether sensitive AI agent configuration, credentials, or workflow data entered issue fields or comments.

What systems are affected by CVE-2026-47408?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, AI project management systems.

What is the CVSS score for CVE-2026-47408?

CVE-2026-47408 has a CVSS v3.1 base score of 6.5 (MEDIUM).

AI Security Impact

Affected AI Architectures

agent frameworksmulti-tenant AI platformsAI project management systems

MITRE ATLAS Techniques

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

AML.T0087 Gather Victim Identity Information

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM02

Technical Details

Original Advisory

## Summary **Type:** Insecure Direct Object Reference. The `GET /workspaces/{workspace_id}/issues/{issue_id}/activity` endpoint is gated by `require_workspace_member(workspace_id)` and dispatches to `ActivityService.list_for_issue(issue_id)`, which executes `SELECT * FROM activity WHERE issue_id = :issue_id` with no workspace constraint. A user who is a member of any workspace can read the full activity log of any issue across the entire multi-tenant deployment. **File:** `src/praisonai-platform/praisonai_platform/api/routes/activity.py`, lines 32-43; `services/activity_service.py`'s `list_for_issue` method. **Root cause:** the route extracts `workspace_id` from the URL path, uses it solely for the membership gate, then passes the URL-supplied `issue_id` directly to `ActivityService.list_for_issue(issue_id)` without verifying which workspace the issue belongs to. The companion `list_workspace_activity` endpoint at line 19-29 is implemented correctly (it passes `workspace_id` to `svc.list_for_workspace(workspace_id)`) — the asymmetry is the smoking gun. ## Affected Code **File:** `src/praisonai-platform/praisonai_platform/api/routes/activity.py`, lines 19-43. ```python @router.get("/activity", response_model=List[ActivityLogResponse]) async def list_workspace_activity( workspace_id: str, limit: int = Query(50, ge=1, le=200), offset: int = Query(0, ge=0), user: AuthIdentity = Depends(require_workspace_member), session: AsyncSession = Depends(get_db), ): svc = ActivityService(session) logs = await svc.list_for_workspace(workspace_id, limit=limit, offset=offset) # correct: passes workspace_id return [ActivityLogResponse.model_validate(log) for log in logs] @router.get("/issues/{issue_id}/activity", response_model=List[ActivityLogResponse]) async def list_issue_activity( workspace_id: str, issue_id: str, limit: int = Query(50, ge=1, le=200), offset: int = Query(0, ge=0), user: AuthIdentity = Depends(require_workspace_member), session: AsyncSession = Depends(get_db), ): svc = ActivityService(session) logs = await svc.list_for_issue(issue_id, limit=limit, offset=offset) # <-- BUG: no workspace_id return [ActivityLogResponse.model_validate(log) for log in logs] ``` **Why it's wrong:** activity logs are typically the most sensitive operational record — they include actor identity, action type, entity references, and a free-form `details` JSON blob that may contain pre-/post-change values for any tracked field. Reading the foreign workspace's activity log gives the attacker a high-fidelity view into who did what when, which is gold for further reconnaissance (cross-workspace member enumeration, foreign issue title disclosure, knowing which projects exist). The same author got `list_workspace_activity` right by passing `workspace_id` — the issue-scoped variant is the gap. ## Exploit Chain 1. Attacker is a member of workspace `W_attacker` and harvests a target issue UUID `I_T` from any side channel. State: attacker holds `I_T`. 2. Attacker sends `GET /workspaces/W_attacker/issues/I_T/activity?limit=200` with `Authorization: Bearer <attacker_jwt>`. State: control flow enters `list_issue_activity`. 3. `require_workspace_member(W_attacker, attacker)` passes. `ActivityService.list_for_issue(I_T)` runs `SELECT * FROM activity WHERE issue_id = 'I_T' ORDER BY created_at DESC LIMIT 200`. State: response body is the full activity log for the foreign issue. 4. The activity entries reveal: every actor (member or agent) who touched the issue, every action (created, updated, commented, status_changed, assignee_changed, project_changed, label_added, dependency_added), and the `details` JSON blob containing the before/after values of every change. State: the attacker fingerprints the foreign workspace's triage workflow, identifies who works on what, and sees the issue's complete history including any embedded secrets that ever passed through the description or comments. 5. Final state: with one workspace-member token plus one GET, the attacker reads the full activity timeline of any issue in the multi-tenant deployment given the issue UUIDs. ## Security Impact **Severity:** sec-moderate. CVSS 6.5: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (full activity log including before/after `details`), no integrity claim (read-only), no availability claim. **Attacker capability:** read the activity log of any issue in the deployment given its UUID. Combined with the companion issue-IDOR (which already gives full issue content), this is recon for the foreign workspace's operational tempo, member identity, and triage workflow. **Preconditions:** `praisonai-platform` is deployed multi-tenant; attacker has any workspace-membership token; foreign issue UUIDs are reachable. **Differential:** source-inspection-verified. The asymmetry between `list_workspace_activity` (correctly workspace-scoped) and `list_issue_activity` (no workspace check) confirms the gap. With the suggested fix below, the route first resolves the issue via `IssueService.get(workspace_id, issue_id)`, returns 404 for foreign issues, and only then proceeds. ## Suggested Fix ```diff --- a/src/praisonai-platform/praisonai_platform/api/routes/activity.py +++ b/src/praisonai-platform/praisonai_platform/api/routes/activity.py @@ -32,9 +32,12 @@ @router.get("/issues/{issue_id}/activity", response_model=List[ActivityLogResponse]) async def list_issue_activity( workspace_id: str, issue_id: str, limit: int = Query(50, ge=1, le=200), offset: int = Query(0, ge=0), user: AuthIdentity = Depends(require_workspace_member), session: AsyncSession = Depends(get_db), ): + issue_svc = IssueService(session) + if await issue_svc.get(workspace_id, issue_id) is None: # workspace-scoped get from issue-IDOR companion + raise HTTPException(status_code=404, detail="Issue not found") svc = ActivityService(session) logs = await svc.list_for_issue(issue_id, limit=limit, offset=offset) return [ActivityLogResponse.model_validate(log) for log in logs] ``` The same single-key issue lookup pattern is filed separately as the IssueService IDOR; once that is fixed, the helper used here is just `IssueService.get(workspace_id, issue_id)`.

Exploitation Scenario

An attacker registers a legitimate account on a multi-tenant PraisonAI Platform instance and joins any workspace. Using the companion issue-IDOR (or by harvesting UUIDs from another side channel), they obtain a target issue UUID belonging to a victim organization running AI agent workflows. They issue GET /workspaces/{their_workspace_id}/issues/{target_issue_id}/activity?limit=200 with their Bearer token. The workspace membership check passes for their own workspace, but the database executes SELECT * FROM activity WHERE issue_id = '{target_issue_id}' with no workspace constraint, returning up to 200 activity entries from the victim's workspace. The attacker extracts actor identities, triage sequences, and the details blob containing before/after field values—sufficient to map the victim's AI agent orchestration patterns, identify key personnel, and stage follow-on targeted attacks.