AI Threat Alert

CVE-2026-47412: praisonai-platform: member can wipe entire workspace

GHSA-g8rr-7rj2-f627 HIGH
Published June 1, 2026
CISO Take

PraisonAI Platform's workspace deletion endpoint lacks any owner-role gate, allowing any workspace member — regardless of privilege level — to issue a single HTTP DELETE and irreversibly destroy the entire workspace including all projects, agents, issues, comments, and member records via cascading database deletion. The blast radius is total: no soft-delete, no confirmation prompt, no audit trail (the activity log is also cascade-deleted), and no recovery path exists. With a CVSS of 8.1, low-complexity exploitation, and only a standard member token required, any invited collaborator or compromised account can execute this in seconds with no technical expertise. Organizations running praisonai-platform in multi-tenant or collaborative AI agent environments should patch to version 0.1.4 immediately; if patching is blocked, restrict workspace membership to fully trusted users and add an API gateway rule blocking DELETE on /workspaces/* endpoints for non-owner tokens.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

High. CVSS 8.1 reflects a network-accessible, low-complexity exploit requiring only low privileges and no user interaction. The attack surface is every workspace with more than one member, and the destructive impact — irreversible deletion of all workspace data — is disproportionate to the access level required. Multi-tenant deployments and collaborative AI agent pipelines face the greatest exposure. Not currently in CISA KEV, but the trivial exploit chain, severe availability and integrity impact, and absence of any recovery mechanism warrant urgent remediation. The same missing default-role override affects four additional companion endpoints per the advisory, widening the privilege-abuse surface.

Attack Kill Chain

Initial Access
Attacker obtains workspace membership via a legitimate invite, open-registration endpoint, or by compromising any existing member's credentials.
AML.T0012
Reconnaissance
Attacker extracts the target workspace_id from authenticated API responses, URL patterns in the web UI, or other member-accessible API endpoints.
AML.T0006
Exploitation
Attacker issues DELETE /workspaces/{workspace_id} with their member JWT; the missing owner-role check passes, and WorkspaceService.delete() executes the cascading database deletion.
AML.T0049
Impact
All workspace resources — agents, projects, issues, comments, labels, members, and the activity log — are permanently deleted with no recovery path, causing complete operational loss for the targeted tenant.
AML.T0048.003

What systems are affected?

Package Ecosystem Vulnerable Range Patched
praisonai pip No patch
1 dependents 86% patched ~0d to patch Full package profile →
praisonai-platform pip < 0.1.4 0.1.4
1 dependents 86% patched ~0d to patch Full package profile →

Severity & Risk

CVSS 3.1
8.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A High

What should I do?

6 steps

  1. Patch immediately: upgrade praisonai-platform to 0.1.4, which restricts DELETE /workspaces/{workspace_id} to owner-role only.

  2. If patching is blocked: add a WAF or API gateway rule to deny DELETE requests to /workspaces/* for tokens without owner-level claims.

  3. Audit all workspace memberships and revoke unexpected or untrusted members.

  4. Implement workspace data backups as a compensating control — the vulnerability has no soft-delete or recovery mechanism.

  5. Enable API access logging on /workspaces/* DELETE methods and alert on any invocations pending patching.

  6. Review companion endpoints (update_workspace, add_member, update_member_role, remove_member) flagged in the advisory as sharing the same default-min-role gap and apply the same owner-role tightening.

Classification

Auth Bypass Agent Framework AML.T0012 AML.T0048.003 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.6.1.2 - Information security roles and responsibilities
NIST AI RMF
GOVERN 1.2 - Policies, processes, procedures and practices across the organization
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-47412?

PraisonAI Platform's workspace deletion endpoint lacks any owner-role gate, allowing any workspace member — regardless of privilege level — to issue a single HTTP DELETE and irreversibly destroy the entire workspace including all projects, agents, issues, comments, and member records via cascading database deletion. The blast radius is total: no soft-delete, no confirmation prompt, no audit trail (the activity log is also cascade-deleted), and no recovery path exists. With a CVSS of 8.1, low-complexity exploitation, and only a standard member token required, any invited collaborator or compromised account can execute this in seconds with no technical expertise. Organizations running praisonai-platform in multi-tenant or collaborative AI agent environments should patch to version 0.1.4 immediately; if patching is blocked, restrict workspace membership to fully trusted users and add an API gateway rule blocking DELETE on /workspaces/* endpoints for non-owner tokens.

Is CVE-2026-47412 actively exploited?

No confirmed active exploitation of CVE-2026-47412 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47412?

1. Patch immediately: upgrade praisonai-platform to 0.1.4, which restricts DELETE /workspaces/{workspace_id} to owner-role only. 2. If patching is blocked: add a WAF or API gateway rule to deny DELETE requests to /workspaces/* for tokens without owner-level claims. 3. Audit all workspace memberships and revoke unexpected or untrusted members. 4. Implement workspace data backups as a compensating control — the vulnerability has no soft-delete or recovery mechanism. 5. Enable API access logging on /workspaces/* DELETE methods and alert on any invocations pending patching. 6. Review companion endpoints (update_workspace, add_member, update_member_role, remove_member) flagged in the advisory as sharing the same default-min-role gap and apply the same owner-role tightening.

What systems are affected by CVE-2026-47412?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, collaborative AI agent workflows, AI orchestration platforms.

What is the CVSS score for CVE-2026-47412?

CVE-2026-47412 has a CVSS v3.1 base score of 8.1 (HIGH).

AI Security Impact

Affected AI Architectures

agent frameworksmulti-tenant AI platformscollaborative AI agent workflowsAI orchestration platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.1.2
NIST AI RMF: GOVERN 1.2
OWASP LLM Top 10: LLM06

Technical Details

Original Advisory

## Summary **Type:** Authorization bypass enabling destructive action. The `DELETE /workspaces/{workspace_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`). Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project, issue, comment, agent, label, and member record (cascading via the foreign-key relationships). There is no owner-role gate, no confirmation token, no soft-delete window, no recovery path. **File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 77-86; `services/workspace_service.py`'s `delete()` method. **Root cause:** the route uses `Depends(require_workspace_member)` which defaults to `min_role="member"` and is never overridden. The service method `WorkspaceService.delete(workspace_id)` performs the destructive operation without any caller-permission verification. The role hierarchy (`MemberService.has_role`, member_service.py:80-96) is implemented but unused for this endpoint. ## Affected Code **File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 77-86. ```python @router.delete("/{workspace_id}", status_code=status.HTTP_204_NO_CONTENT) async def delete_workspace( workspace_id: str, user: AuthIdentity = Depends(require_workspace_member), # <-- BUG: defaults to min_role="member" session: AsyncSession = Depends(get_db), ): ws_svc = WorkspaceService(session) deleted = await ws_svc.delete(workspace_id) # <-- destructive, no role check if not deleted: raise HTTPException(status_code=404, detail="Workspace not found") ``` **Why it's wrong:** workspace deletion is the most destructive single action in this product — it wipes every member, project, issue, comment, agent, and label belonging to the tenant. The standard convention is to gate this on owner role, ideally with a confirmation parameter (typed workspace name) and a recovery window. This endpoint does none of that. The `require_workspace_member(min_role)` parameter exists precisely for this kind of tightening but is never invoked with anything other than the default. ## Exploit Chain 1. Attacker is a member of workspace `W` (joined via invite, signup default, or any other route into membership). State: attacker holds JWT with `Member(workspace_id=W, user_id=attacker, role="member")`. 2. Attacker sends `DELETE /workspaces/W` with `Authorization: Bearer <attacker_jwt>`. State: control flow enters `delete_workspace`. 3. `require_workspace_member(W, attacker)` passes (attacker is a member, default min_role="member" satisfied). `WorkspaceService.delete(W)` removes the workspace row; SQLAlchemy cascade rules drop every related row (members, projects, issues, comments, agents, labels). State: workspace `W` no longer exists. 4. Final state: a low-privilege member has wiped the workspace. The legitimate owner has no recovery: no soft-delete, no audit-trail event for the deletion (the `Activity` log row would have been deleted too as part of the cascade). The same primitive at scale (script that DELETEs every workspace_id the attacker can enumerate) becomes a multi-tenant griefing tool. ## Security Impact **Severity:** sec-high. CVSS 8.1: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality (just destruction), high integrity (every workspace child row wiped), high availability (workspace gone for legitimate owner). **Attacker capability:** with one workspace-member token plus one DELETE request, the attacker irreversibly deletes the workspace and every child resource. The deletion is silent and immediate. **Preconditions:** `praisonai-platform` is deployed multi-tenant; the attacker has any membership token in the target workspace. **Differential:** source-inspection-verified. The asymmetry between `require_workspace_member`'s clearly-tunable `min_role` parameter and this endpoint's use of the default value confirms the gap. With the suggested fix below, member-tier tokens fail the gate at the dependency, the destructive action never reaches the service layer, and the endpoint returns 403 instead of 204. ## Suggested Fix ```diff --- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py +++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py @@ -75,11 +75,15 @@ +def _require_workspace_owner(workspace_id: str, user, session): + return require_workspace_member(workspace_id, user, session, min_role="owner") + @router.delete("/{workspace_id}", status_code=status.HTTP_204_NO_CONTENT) async def delete_workspace( workspace_id: str, - user: AuthIdentity = Depends(require_workspace_member), + user: AuthIdentity = Depends(_require_workspace_owner), session: AsyncSession = Depends(get_db), ): ws_svc = WorkspaceService(session) deleted = await ws_svc.delete(workspace_id) if not deleted: raise HTTPException(status_code=404, detail="Workspace not found") ``` Defence-in-depth: require a typed-confirmation parameter (e.g. body `{"confirm_name": "<workspace_name>"}`) and implement a 30-day soft-delete with restore. The four companion workspace-mutation endpoints (`update_workspace`, `add_member`, `update_member_role`, `remove_member`) exhibit the same default-min-role gap and are filed as their own advisories.

Exploitation Scenario

An adversary joins a target PraisonAI workspace via a legitimate invite link, a misconfigured open-registration endpoint, or by compromising any existing member's credentials. With a valid member JWT in hand, they issue a single HTTP DELETE to /workspaces/{workspace_id}. The FastAPI dependency require_workspace_member passes because the attacker holds a valid membership token and the default min_role='member' is satisfied without override. WorkspaceService.delete() executes immediately, triggering a cascading foreign-key deletion that wipes every project, agent, issue, comment, label, and member record in the workspace. The operation completes in milliseconds, is immediately irreversible, and produces no surviving audit trail. At scale, an attacker who enumerates accessible workspace IDs via other member-accessible API endpoints can script mass deletion across every workspace they have any membership in — a multi-tenant griefing scenario affecting all platform customers simultaneously.

Weaknesses (CWE)

CWE-269 Improper Privilege Management Primary CWE-862 Missing Authorization Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
June 1, 2026
Last Modified
June 1, 2026
First Seen
June 1, 2026

Related Vulnerabilities

CRITICAL CVE-2026-47392 9.9

praisonaiagents: RCE via Python sandbox bypass

Same package: praisonai
CRITICAL GHSA-vc46-vw85-3wvm 9.8

PraisonAI: RCE via malicious workflow YAML execution

Same package: praisonai
CRITICAL CVE-2026-39890 9.8

PraisonAI: YAML deserialization enables unauthenticated RCE

Same package: praisonai
CRITICAL GHSA-9qhq-v63v-fv3j 9.8

PraisonAI: RCE via MCP command injection

Same package: praisonai
CRITICAL CVE-2026-47410 9.8

praisonai-platform: hardcoded JWT → full account takeover

Same package: praisonai
Back to Threat Feed