Authorization Bypass in PraisonAI Platform by Mervin Praison
CVE-2026-61442
7.1HIGH
What is CVE-2026-61442?
The PraisonAI Platform prior to version 0.1.9 exhibits a critical oversight in its authorization mechanisms, failing to enforce necessary owner/admin permissions on PATCH routes associated with projects, issues, and agents. This flaw allows any member of the workspace to manipulate records that were originally created by the owner. Notably, a workspace member can change the 'lead_id' of a project to their own user ID and subsequently delete the owner’s project, circumventing established permission checks. This vulnerability underscores the need for diligent access control within collaborative environments to prevent unauthorized record modifications.
Affected Version(s)
PraisonAI 0 < 0.1.9
PraisonAI 0.1.9
