PraisonAI Platform: Cross-Workspace IDOR and Unenforceed Role-Based Access Control
PraisonAI Platform exposes a chain of authorization bypasses allowing any authenticated user to read/modify/delete cross-tenant resources and escalate their own privileges to admin or owner, enabling complete workspace takeover with only open registration.
CVE References
Affected
Vulnerability Description
The PraisonAI Platform contains two chained authorization flaws. First, a cross-workspace IDOR (CWE-639) exists in nested resource endpoints (/api/v1/workspaces/{workspace_id}/agents/{agent_id}, etc.). The require_workspace_member(workspace_id) FastAPI dependency validates only that the caller belongs to the workspace in the URL prefix, but the route handler retrieves the inner resource by primary key alone without validating that the resource's workspace_id matches the URL parameter. An attacker can substitute a different workspace ID in the path while referencing another tenant's resource ID, bypassing the authorization check. Second, a privilege escalation flaw (CWE-269) exists in member-management routes: the min_role="member" default is inherited but never enforced, allowing any workspace member to call update_member_role on themselves to escalate to admin or owner, or call remove_member/delete_workspace to disable other users or destroy the workspace entirely.
PoC Significance
This disclosure describes a trivially exploitable vulnerability chain requiring only unauthenticated registration (no email verification on POST /api/v1/auth/register) and a single authenticated HTTP request per action. The PoC proves that: (1) the dependency-based authorization model is insufficient for multi-tenant systems, (2) role hierarchy checks are defined in the schema but absent from business logic, and (3) the default deployment (0.0.0.0:8000) exposes the service to any network position. Exploitation is highly reliable and requires no race conditions, timing, or user interaction—any attacker can enumerate workspace IDs and systematically compromise all tenants.
Detection Guidance
Defenders should monitor for: (1) Authorization anomalies: requests to /api/v1/workspaces/{workspace_id}/* where the authenticated user's workspace does not match the URL parameter; log all such attempts with user ID, target workspace, and resource type. (2) Privilege changes: audit logs for update_member_role calls that elevate a user's own role from member to admin/owner, or role changes issued by non-admin accounts. (3) Suspicious account creation: bulk registration attempts or registrations from unexpected geographic/IP ranges followed by cross-workspace requests. (4) Log indicators: search for POST /api/v1/auth/register with no email verification, then correlate timestamps with IDOR-pattern requests. (5) WAF/proxy signatures: flag requests where workspace_id in the URL differs from the authenticated user's assigned workspace IDs (requires context-aware inspection).
Mitigation Steps
Immediate actions: (1) Enable email verification on registration; require confirmed ownership before granting API access. (2) Enforce role hierarchy in code: add assertions in all member-management endpoints (add_member, update_member_role, remove_member, update_workspace, delete_workspace) that verify the caller's role is admin or owner—do not rely on schema defaults. (3) Validate resource ownership: in every nested-resource route, fetch the resource and always compare its workspace_id to the URL parameter before returning data; reject with 404 if mismatch. (4) Change default bind from 0.0.0.0:8000 to 127.0.0.1:8000 and run behind authenticated reverse proxy. (5) Restrict network exposure: if deployed in cloud, use security groups or firewall rules to allow only trusted clients. Long-term fixes: redesign the dependency injection to pass the authenticated workspace set and validate membership for each resource retrieved, not just the URL parameter; implement property-based tests for multi-tenant isolation.
Risk Assessment
Likelihood of exploitation in the wild: Very High. The vulnerability requires no advanced techniques, the registration is open, and the platform may be deployed on public internet by early adopters or in lab/demo environments. The CVE disclosure will incentivize opportunistic scanning. Threat actor interest: High. This flaw enables rapid, silent data exfiltration and workspace sabotage across all tenants on a single server instance—attractive to competitors, nation-states conducting supply-chain reconnaissance, and insider threats. Time to exploitation: Minutes from discovery. Blast radius: All workspaces on the affected instance are compromised; if user email addresses are shared across instances, attackers can pivot to other deployments using the same credentials.
Sources