pkg:PyPI/praisonai-platform

All known vulnerabilities

• CRITICAL9.8CVE-2026-47410praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset
  from 0, < 0.1.4
• CRITICAL9.6CVE-2026-47413praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members
  from 0, < 0.1.4
• CRITICAL9.6CVE-2026-47416praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}
  from 0, < 0.1.4
• HIGH8.8PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership
  from 0, < 0.1.4
• HIGH8.8PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID
  from 0, < 0.1.4
• HIGH8.8PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
  from 0, < 0.1.4
• HIGH8.3praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR
  from 0, < 0.1.4
• HIGH8.3praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR
  from 0, < 0.1.4
• HIGH8.1praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}
  from 0, < 0.1.4
• HIGH8.1praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR
  from 0, < 0.1.4
• HIGH8.1praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR
  from 0, < 0.1.4
• HIGH8.1praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role
  from 0, < 0.1.4
• HIGH8.1praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks
  from 0, < 0.1.4
• HIGH7.6praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)
  from 0, < 0.1.4
• MEDIUM6.5praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}
  from 0, < 0.1.4
• MEDIUM6.5praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership
  from 0, < 0.1.4
• —PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
  from 0, < 0.1.4