CVE-2026-47405: PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership

PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner.

The issue is caused by privileged workspace-management routes using the shared dependency require_workspace_member(...) without requiring admin or owner. The dependency defaults to min_role="member", so routes that should be administrative are accessible to ordinary workspace members.

As a result, a normal workspace member can:

• promote their own account from member to owner;
• add arbitrary users as owner or admin;
• change other members’ roles;
• remove legitimate owners or members;
• take over workspace membership completely;
• perform destructive workspace operations after escalation.

This is a broken access control / vertical privilege escalation vulnerability.