Authorization Bypass in PraisonAI Platform by Mervin Praison
CVE-2026-61440

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61440?

The PraisonAI Platform prior to version 0.1.9 contains a significant authorization flaw that allows workspace members to perform unauthorized label and issue-label mutations. This vulnerability enables them to rename, recolor, and manage labels on issues created by owners without proper authorization. The exploitation involves sending PATCH and POST/DELETE requests to modify shared label taxonomy and manipulate issue-label associations, thus compromising the intended access controls of the platform.

Affected Version(s)

PraisonAI 0 < 0.1.9

PraisonAI 0.1.9

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rexpository
.