CVE-2026-47413

Name of the Vulnerable Software and Affected Versions praisonai-platform versions prior to 0.1.4

Description A privilege escalation flaw exists in the PraisonAI Platform that allows any workspace member to grant owner-level privileges to arbitrary users. The issue stems from the POST /workspaces/{workspace id}/members endpoint, which only requires the caller to have a basic member role via the require workspace member() dependency. The request is then forwarded to the MemberService.add() function, which validates that the requested role is valid but fails to verify if the caller has the necessary permissions to assign that specific role.

An attacker with member-level access can exploit this by using a second account to assign themselves the owner role, thereby gaining full control over the workspace. This allows unauthorized access to workspace data, member management, and other restricted owner actions.

Recommendations Upgrade to version 0.1.4. As a temporary workaround, restrict access to the POST /workspaces/{workspace id}/members endpoint to only trusted administrators until the update is applied.