Authorization Bypass in PraisonAI Platform by Mervin Praison
CVE-2026-61442

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
11 July 2026

What is CVE-2026-61442?

The PraisonAI Platform prior to version 0.1.9 exhibits a critical oversight in its authorization mechanisms, failing to enforce necessary owner/admin permissions on PATCH routes associated with projects, issues, and agents. This flaw allows any member of the workspace to manipulate records that were originally created by the owner. Notably, a workspace member can change the 'lead_id' of a project to their own user ID and subsequently delete the owner’s project, circumventing established permission checks. This vulnerability underscores the need for diligent access control within collaborative environments to prevent unauthorized record modifications.

Affected Version(s)

PraisonAI 0 < 0.1.9

PraisonAI 0.1.9

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rexpository
.