GHSA-rh39-9c67-59mh: PraisonAI: Missing ownership check on DELETE endpoints allows members to delete others' content in Platform API

June 18, 2026

A workspace member can permanently delete any resource — projects, agents, issues, labels, issue dependencies, and issue-label attachments — created by the workspace owner or other members. All six content DELETE endpoints enforce workspace membership but perform no ownership or role check. A single malicious or compromised member account can wipe an entire workspace’s content irreversibly.

References

github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rh39-9c67-59mh
github.com/advisories/GHSA-rh39-9c67-59mh

Code Behaviors & Features

Detect and mitigate GHSA-rh39-9c67-59mh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →