Intelligence
criticalVulnerabilityActive

Vertical Privilege Escalation in PraisonAI Platform Workspace Member Management

Any workspace member can unilaterally promote themselves or others to owner role via an unauthenticated authorization check in the PATCH /workspaces/{id}/members/{user_id} endpoint. This is a complete privilege escalation requiring only workspace membership and a single HTTP request.

S
Sebastion

CVE References

CVE-2026-47416

Affected

praisonai/praisonai-platform

Vulnerability Description

This is a vertical privilege escalation vulnerability caused by absent authorization checks in the role-update handler. The PATCH /workspaces/{workspace_id}/members/{user_id} endpoint uses a dependency require_workspace_member() that defaults to minimum role "member" and is never overridden. The downstream MemberService.update_role() function contains zero privilege validation: it does not verify the caller has admin/owner rights, does not reject role assignments higher than the caller's own rank, and does not prevent self-promotion. This allows any workspace member to set any user (including themselves) to the "owner" role.

Proof-of-Concept Significance

The PoC demonstrates a single-request, no-chain-exploit: a low-privilege "member" user sends PATCH /workspaces/{workspace_id}/members/{their_user_id} with {"role": "owner"} and receives owner permissions. The attack is deterministic, requires only valid workspace membership (a low barrier), and leaves minimal obfuscation. The vulnerability is highly reliable because it does not depend on race conditions, timing, or state races—it is a simple missing guard clause. No additional privileges, credentials, or social engineering are required.

Detection Guidance

Log Indicators:

  • HTTP PATCH requests to /workspaces/*/members/* endpoints originating from non-admin accounts
  • Rapid role changes (especially to "owner") by accounts with lower privilege history
  • Requests where the user_id in the URL matches the authenticated user's own ID and the request body contains "role": "owner" or other privilege escalation targets
  • Audit log entries showing a "member" user's role changing to "owner" without corresponding admin action or approval workflow

Detection Rules:

  • Monitor for HTTP 200/204 responses to PATCH member endpoints followed immediately by workspace admin actions performed by previously-member accounts
  • Flag accounts that transition from "member" to "owner" in a single API call outside of normal provisioning workflows
  • Correlate rapid role escalations with subsequent high-risk actions (bulk member modifications, workspace deletion, integration creation)

Mitigation Steps

Immediate Actions:

  1. Code Fix: Add authorization guard in MemberService.update_role() before assignment:

    • Verify caller's role is "owner" or "admin"
    • Reject any role assignment where new_role is higher than caller_role
    • Reject self-promotion requests (when user_id == caller_id and new_role > caller_role)

  2. FastAPI Dependency Pattern Fix: Refactor require_workspace_member to accept role constraints via a factory function or introduce a new decorator @require_workspace_owner() that the route explicitly uses.

  3. Audit Trail: Log all role modification attempts (successful and failed) with caller identity, target user, old role, new role, and outcome.

Workarounds (temporary, if patching is delayed):

  • Restrict PATCH member endpoints via API gateway or WAF rules to accounts with verified owner/admin flags in a separate privilege store
  • Require multi-factor approval workflows for any role escalation to "owner"
  • Disable the PATCH endpoint entirely and route role changes through an admin-only interface

Risk Assessment

Likelihood of Exploitation: Very High. The attack requires no special tooling (curl or any HTTP client suffices), is deterministic, and any user with workspace access will eventually discover it through trial or documentation review. Insider threats and compromised low-privilege accounts are immediate risks.

Threat Actor Interest: Critical. This is a textbook lateral-movement and privilege-escalation vector. Ransomware operators, APT groups, and commodity malware commonly target SaaS IAM flaws for workspace takeovers and lateral movement to cloud infrastructure. The single-request nature makes it ideal for automated scanning and exploitation at scale.

Impact Magnitude: Workspace owners can modify integrations, access workspace data, invite/remove members, and potentially pivot to connected systems. A member-to-owner escalation grants near-complete control over a workspace's data and configuration.

Sources

pocprivilege-escalationvertical-escalationauthorization-bypassfastapiiamworkspace-security
Back to intelligence