PT-2026-45060 · Pypi · Praisonai-Platform

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-47406

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

Type: Insecure Direct Object Reference. The dependency endpoints (POST/GET /workspaces/{workspace id}/issues/{issue id}/dependencies and DELETE .../dependencies/{dep id}) gate access on require workspace member(workspace id) only, then dispatch to DependencyService calls that take URL/body-supplied issue and dependency IDs without verifying any of them belong to the membership-checked workspace. Most damaging: create dependency accepts body.depends on issue id from the request body — that ID is checked against nothing — letting an attacker create a "blocks" or "related" link between any two issues anywhere in the database. File: src/praisonai-platform/praisonai platform/api/routes/dependencies.py, lines 22-58; services/dependency service.py, lines 26-65. Root cause: the same Depends(require workspace member) default-min-role pattern as the companion IDORs, plus a service layer (DependencyService) where every method takes raw IDs and queries them directly. create(issue id, depends on issue id, ...) writes a row with no workspace verification on either ID. list for issue(issue id) returns dependencies in either direction. delete(dep id) is a primary-key delete with no workspace predicate.

Affected Code

File 1: src/praisonai-platform/praisonai platform/api/routes/dependencies.py, lines 22-58.
python
@router.post("/", response model=DependencyResponse, status code=status.HTTP 201 CREATED)
async def create dependency(
  workspace id: str,
  issue id: str,
  body: DependencyCreate,
  user: AuthIdentity = Depends(require workspace member),
  session: AsyncSession = Depends(get db),
):
  svc = DependencyService(session)
  dep = await svc.create(issue id, body.depends on issue id, body.type) # <-- BUG: neither id is workspace-checked
  return DependencyResponse.model validate(dep)


@router.get("/", response model=List[DependencyResponse])
async def list dependencies(
  workspace id: str,
  issue id: str,
  user: AuthIdentity = Depends(require workspace member),
  session: AsyncSession = Depends(get db),
):
  svc = DependencyService(session)
  deps = await svc.list for issue(issue id)               # <-- BUG: returns dependencies for any issue
  return [DependencyResponse.model validate(d) for d in deps]


@router.delete("/{dep id}", status code=status.HTTP 204 NO CONTENT)
async def delete dependency(
  workspace id: str,
  issue id: str,
  dep id: str,
  user: AuthIdentity = Depends(require workspace member),
  session: AsyncSession = Depends(get db),
):
  svc = DependencyService(session)
  deleted = await svc.delete(dep id)                   # <-- BUG: deletes any dependency by id
  if not deleted:
    raise HTTPException(status code=404, detail="Dependency not found")
File 2: src/praisonai-platform/praisonai platform/services/dependency service.py, lines 26-65.
python
async def create(self, issue id: str, depends on issue id: str, dep type: str = "blocks") -> IssueDependency:
  if dep type not in VALID TYPES:
    raise ValueError(...)
  dep = IssueDependency(
    issue id=issue id,                       # <-- accepts any
    depends on issue id=depends on issue id,            # <-- accepts any (from request body)
    type=dep type,
  )
  self. session.add(dep); await self. session.flush(); return dep

async def list for issue(self, issue id: str) -> list[IssueDependency]:
  stmt = select(IssueDependency).where(
    (IssueDependency.issue id == issue id) | (IssueDependency.depends on issue id == issue id)
  )
  return list((await self. session.execute(stmt)).scalars().all())

async def delete(self, dep id: str) -> bool:
  dep = await self.get(dep id)                    # session.get(IssueDependency, dep id) — no workspace check
  ...
Why it's wrong: the request-body depends on issue id is the worst part: an attacker can link any two issues across any two workspaces, polluting both workspaces' dependency graphs with attacker-chosen relationships ("blocks", "blocked by", "related"). The triagers in the foreign workspace see their issue suddenly blocked by an unrelated foreign issue, breaking sprint planning and creating false correlation. The delete(dep id) path lets an attacker remove legitimate cross-issue links between any two foreign workspaces, also disrupting their planning. The list for issue path leaks the dependency graph for any issue in the deployment.

Exploit Chain

  1. Attacker is a member of workspace W attacker and harvests two foreign-workspace issue UUIDs I1 (in W target1) and I2 (in W target2). They leak via the activity feed, comment threads, error messages, exported dumps, the agent prompt history, or any other channel that ever serialises an issue ID. State: attacker holds two foreign issue UUIDs.
  2. Attacker sends POST /workspaces/W attacker/issues/I1/dependencies with Authorization: Bearer <attacker jwt> and body {"depends on issue id": "I2", "type": "blocks"}. State: control flow enters create dependency with issue id=I1 (foreign), depends on issue id=I2 (foreign).
  3. require workspace member(W attacker, attacker) passes (attacker is a member of W attacker). DependencyService.create(I1, I2, "blocks") writes a new row IssueDependency(issue id=I1, depends on issue id=I2, type="blocks"). State: there is now a cross-workspace dependency between two foreign issues, written by the attacker.
  4. The triage UIs of W target1 and W target2 now show that the foreign issue is blocked by an unrelated issue in another workspace. Workflow rules that key off "cannot close while blocked" will refuse to let the legitimate triagers close I1. State: foreign workflow disrupted.
  5. Attacker repeats with GET /workspaces/W attacker/issues/I1/dependencies to read the dependency graph for any foreign issue (information disclosure, project relationship mapping), or with DELETE .../{dep id} (after enumerating dep ids via the list call) to strip legitimate dependencies between foreign issues, breaking blocked-by chains.
  6. Final state: with one workspace-member token, the attacker reads, writes, and deletes dependencies on every issue in the multi-tenant deployment, polluting the dependency graphs of foreign workspaces.

Security Impact

Severity: sec-high. CVSS 7.6: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (cross-workspace dependency graph disclosure), high integrity (cross-workspace dependency injection and deletion), no availability claim (workflow disruption is integrity, not availability). Attacker capability: read any issue's dependency graph; create arbitrary "blocks" / "blocked by" / "related" links between any two issues across any two workspaces; delete any dependency by id. The most surprising primitive is the cross-workspace LINKING — the only one of the IDORs in this codebase where a single attacker request can affect TWO foreign workspaces at once. Preconditions: praisonai-platform is deployed multi-tenant; attacker has any membership token; foreign issue UUIDs are reachable. Differential: source-inspection-verified end-to-end. The asymmetry between this service (no workspace predicate anywhere) and MemberService.get(workspace id, user id) (correctly composite-keyed) confirms the gap. With the suggested fix below, the route would resolve both the URL issue id and the body depends on issue id against IssueService.get(workspace id, ...) before allowing the dependency to be written.

Suggested Fix

Resolve every issue id (URL and body) against workspace id at the route layer before dispatching. The route helper from the issue-IDOR companion advisory can be reused.
diff
--- a/src/praisonai-platform/praisonai platform/api/routes/dependencies.py
+++ b/src/praisonai-platform/praisonai platform/api/routes/dependencies.py
@@ -22,11 +22,16 @@
 @router.post("/", response model=DependencyResponse, status code=status.HTTP 201 CREATED)
 async def create dependency(
   workspace id: str,
   issue id: str,
   body: DependencyCreate,
   user: AuthIdentity = Depends(require workspace member),
   session: AsyncSession = Depends(get db),
 ):
+  issue svc = IssueService(session)
+  if await issue svc.get(workspace id, issue id) is None:
+    raise HTTPException(status code=404, detail="Issue not found")
+  if await issue svc.get(workspace id, body.depends on issue id) is None:
+    raise HTTPException(status code=404, detail="depends on issue id not found in this workspace")
   svc = DependencyService(session)
   dep = await svc.create(issue id, body.depends on issue id, body.type)
   return DependencyResponse.model validate(dep)
Apply the same issue svc.get(workspace id, issue id) precondition to list dependencies and delete dependency (verifying both the issue and the dependency belong to workspace id).

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-47406
GHSA-4X6R-9V57-3GQW

Affected Products

Praisonai-Platform