CVE-2026-61442
PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH
CVSS Score
7.1
EPSS Score
0.3%
EPSS Percentile
17th
PraisonAI Platform (praisonai-platform) before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign lead_id to their own user id and then delete the owner-created project, bypassing the delete route's owner/admin permission check.
| CWE | CWE-862 |
| Vendor | mervinpraison |
| Product | praisonai |
| Published | Jul 11, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for mervinpraison praisonai
Be the first to know when new high vulnerabilities affecting mervinpraison praisonai are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low
Affected Versions
MervinPraison / PraisonAI
0 < 0.1.9
References
github.com: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-c78w-2q4r-68r7 github.com: https://github.com/MervinPraison/PraisonAI/commit/846568c7a5d8ce9e71e56e4c213f027c04909753 vulncheck.com: https://www.vulncheck.com/advisories/praisonai-platform-before-authorization-bypass-via-patch
Credits
๐ rexpository