PraisonAI CVE-2026-47409/47414 — Workspace Takeover and Cross-Workspace IDOR
Two new high-severity vulnerabilities in the PraisonAI platform (pip) expose workspace-level access control failures — enabling unauthorized member removal and cross-workspace label manipulation.
Vulnerabilities
- CVE-2026-47409 (High) — Missing authorization on member removal allows any authenticated user to remove any other member from a workspace, regardless of role, enabling full workspace takeover.
- CVE-2026-47414 (High) — Label endpoints accept unvalidated
label_idandissue_idparameters, enabling cross-workspace label IDOR. Attackers can edit, delete, or link labels across workspace boundaries.
Details
- Both CVEs target PraisonAI's workspace collaboration layer, which manages multi-user AI agent projects and shared configurations.
- CVE-2026-47409's missing role check means a low-privilege member can evict workspace admins and assume control — a direct path to full project takeover.
- CVE-2026-47414's IDOR affects label operations (create, edit, delete, link) across workspace boundaries, enabling data manipulation in projects the attacker has no legitimate access to.
- These follow the previously disclosed CVE-2026-47408 (unauthenticated A2A
eval()RCE) from the same batch of advisories. - All three CVEs highlight systemic authorization gaps in PraisonAI's workspace and project management surfaces.
Why it matters
PraisonAI is an open-source AI agent framework with growing adoption for building and deploying multi-agent workflows. The combination of workspace takeover (CVE-2026-47409) and cross-workspace data manipulation (CVE-2026-47414) means that any authenticated user — including compromised accounts — can escalate to full workspace control and tamper with other teams' agent configurations, potentially injecting malicious prompts or tool configurations into shared AI pipelines.
What to do
- Update PraisonAI to the latest patched version immediately.
- Audit workspace membership logs for unauthorized removals.
- Review label and issue data for cross-workspace tampering indicators.
- If running PraisonAI in production, isolate workspace services behind API gateways with explicit authorization enforcement.