CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation

The Platform server exposes resources under /api/v1/workspaces/{workspace_id}/... and protects them with a require_workspace_member(workspace_id) FastAPI dependency. The dependency only checks that the caller is a member of the workspace_id in the URL prefix. The route handlers then look up the inner resource (agent_id, issue_id, project_id, label_id, comment_id, dependency_id) by primary key alone. The resource’s own workspace_id is never compared to the URL’s workspace_id.

A user can therefore put their own workspace in the URL prefix and any other workspace’s resource ID in the path. The auth check passes, since they really are a member of the prefix workspace. The service then returns the cross-tenant resource for read, update, or delete.

There is a second bug in the member-management routes (add_member, update_member_role, remove_member, update_workspace, delete_workspace). Each one inherits the default min_role="member" from require_workspace_member. Any basic member can therefore promote themselves to admin or owner, demote or remove other members, and delete the workspace. The role hierarchy exists in the schema but is not enforced.

Registration is open at /api/v1/auth/register with no email verification. The default server bind is 0.0.0.0:8000 (python -m praisonai_platform). One curl from any unauthenticated network position is enough to bootstrap into the system.