PT-2026-57438 · Unknown · Praisonai-Platform

Rexpository

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-61442

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions PraisonAI Platform versions prior to 0.1.9
Description The platform fails to enforce owner or administrator authorization on the PATCH routes for projects, issues, and agents, requiring only the workspace-member role. This allows a user with low privileges to modify records created by the workspace owner. Specifically, for projects, a member can reassign the lead id variable to their own user ID and subsequently delete the project, which bypasses the owner or administrator permission check typically required by the delete route.
Recommendations Update to version 0.1.9 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61442
GHSA-C78W-2Q4R-68R7

Affected Products

Praisonai-Platform