PT-2026-53556 · Pypi · Praisonai-Platform

Publicado

2026-06-29

·

Atualizado

2026-06-29

CVSS v3.1

9.6

Crítica

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Summary

Type: Privilege escalation / cross-tenant member injection. The POST /workspaces/{workspace id}/members endpoint is gated only by require workspace member(workspace id) (default min role="member") and forwards the request body's user id and role straight into MemberService.add(workspace id, user id, role), which has no caller-permission check. A user with the lowest workspace privilege can add any user (including a new attacker-controlled second account, or an existing account they want to grief) as owner of the workspace. File: src/praisonai-platform/praisonai platform/api/routes/workspaces.py, lines 92-101; services/member service.py, lines 26-38. Root cause: MemberService.add validates only that role is in VALID ROLES = {"owner", "admin", "member"} — the value, not the caller's right to assign it. The route's Depends(require workspace member) resolves to the default min role="member". So a member-level token plus one POST gives the attacker an alternate identity with owner role inside the same workspace, bypassing every owner-only operation that would otherwise gate them.

Affected Code

File 1: src/praisonai-platform/praisonai platform/api/routes/workspaces.py, lines 92-101.
python
@router.post("/{workspace id}/members", response model=MemberResponse, status code=status.HTTP 201 CREATED)
async def add member(
  workspace id: str,
  body: MemberAdd,
  user: AuthIdentity = Depends(require workspace member),     # <-- BUG: defaults to min role="member"
  session: AsyncSession = Depends(get db),
):
  member svc = MemberService(session)
  member = await member svc.add(workspace id, body.user id, body.role) # <-- writes any (user, role)
  return MemberResponse.model validate(member)
File 2: src/praisonai-platform/praisonai platform/services/member service.py, lines 26-38.
python
async def add(
  self,
  workspace id: str,
  user id: str,
  role: str = "member",
) -> Member:
  """Add a user to a workspace."""
  if role not in VALID ROLES:                   # only validates the value
    raise ValueError(f"Invalid role: {role}. Must be one of {VALID ROLES}")
  member = Member(workspace id=workspace id, user id=user id, role=role)
  self. session.add(member)                    # <-- BUG: no caller-permission check
  await self. session.flush()
  return member
Why it's wrong: workspace member management is the textbook capability that must be gated on owner role. The role hierarchy is implemented (MemberService.has role, member service.py:80-96), the dependency-tunable min role parameter exists (require workspace member(min role), deps.py:58), but the POST .../members route uses neither. The VALID ROLES enum check is purely cosmetic — it accepts "owner" from any caller because the route never asked whether the caller has the right to assign that role.

Exploit Chain

  1. Attacker registers two accounts (or recruits a member account on the target workspace W). Account A is an existing member of W; Account B is a fresh signup the attacker controls (any account on the platform — auth/register is open by default). State: attacker holds tokens for both A and B.
  2. Attacker authenticates as Account A and POSTs Authorization: Bearer <A jwt> to POST /workspaces/W/members with body {"user id": "<B user id>", "role": "owner"}. State: control flow enters add member.
  3. require workspace member(W, A) passes (A is a member). MemberService.add(W, B, "owner") writes a new row Member(workspace id=W, user id=B, role="owner"). State: Account B is now a workspace-W owner.
  4. Attacker switches to Account B and acts as workspace owner — change settings, add/remove members, delete the workspace, or pivot to the companion advisories' primitives. State: attacker holds owner of any workspace they had member access to, via a fresh attacker-controlled identity that the original workspace's audit logs cannot easily attribute to A.
  5. Final state: with one member-level token plus one POST, the attacker plants an owner-role identity on any workspace they can reach. The same primitive lets the attacker invite a competitor or external-vendor account into the workspace as owner, exfiltrating the workspace's content under that competitor's name.

Security Impact

Severity: sec-critical. CVSS 9.1: network attack, low complexity, low privileges (member tier), no user interaction, scope changed (the new owner is a different security principal), high confidentiality and integrity, no availability claim. Attacker capability: with one workspace-member token plus one POST request, the attacker grants owner-tier access to any user id on the platform. From there, full workspace control via the Account B token, plus indirect attribution: the original workspace's audit logs see "user A added user B as owner" but the audit trail cannot tell that B is attacker-controlled. Preconditions: praisonai-platform is deployed multi-tenant; the attacker has any membership token in the target workspace; the attacker can register or knows any other user id on the platform. Differential: source-inspection-verified. The asymmetry between MemberService.has role (clearly tiered) and add member's default min role="member" confirms the gap. With the suggested fix below, the gate refuses the member-tier token, the elevated POST returns 403, and the second-identity owner is never created.

Suggested Fix

diff
--- a/src/praisonai-platform/praisonai platform/api/routes/workspaces.py
 +++ b/src/praisonai-platform/praisonai platform/api/routes/workspaces.py
@@ -90,11 +90,15 @@
+def require workspace owner(workspace id: str, user, session):
+  return require workspace member(workspace id, user, session, min role="owner")
+
 @router.post("/{workspace id}/members", response model=MemberResponse, status code=status.HTTP 201 CREATED)
 async def add member(
   workspace id: str,
   body: MemberAdd,
-  user: AuthIdentity = Depends(require workspace member),
+  user: AuthIdentity = Depends( require workspace owner),
   session: AsyncSession = Depends(get db),
 ):
   member svc = MemberService(session)
+  if body.role == "owner" and not await member svc.has role(workspace id, user.id, "owner"):
+    raise HTTPException(status code=403, detail="Only owners can add other owners")
   member = await member svc.add(workspace id, body.user id, body.role)
The four other workspace mutation endpoints (update workspace, delete workspace, update member role, remove member) exhibit the same default-min-role gap and are filed as their own advisories.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-480

Produtos afetados

Praisonai-Platform