# [CRIT] [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation

**Source:** GitHub Security Advisories
**Published:** 2026-05-29
**Article:** https://github.com/advisories/GHSA-h8q5-cp56-rr65

## Threat Profile

PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation

## Summary

The Platform server exposes resources under `/api/v1/workspaces/{workspace_id}/...` and protects them with a `require_workspace_member(workspace_id)` FastAPI dependency. The dependency only checks that the caller is a member of the workspace_id in the URL prefix. The route handlers then look up the inner resource (`agent_id`, `issue_id`, `project_id`, `label_id`, `comment_id`, `dependency_id`) by primar…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-47407`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1078** — Valid Accounts
- **T1098** — Account Manipulation
- **T1548** — Abuse Elevation Control Mechanism
- **T1213** — Data from Information Repositories
- **T1530** — Data from Cloud Storage Object
- **T1136** — Create Account

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### PraisonAI Platform member role mutation endpoint hit (CVE-2026-47407 privilege escalation)

`UC_164_2` · phase: **actions** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as urls values(Web.status) as status from datamodel=Web where Web.url="*/api/v1/workspaces/*/members*" Web.http_method IN ("PATCH","POST","DELETE") by Web.src, Web.user, Web.http_method, Web.dest | `drop_dm_object_name(Web)` | rex field=urls "/api/v1/workspaces/(?<url_workspace_id>[0-9a-f-]{36})/members(?:/(?<target_user_id>[0-9a-f-]{36}))?" | where status>=200 AND status<300 | sort - lastTime
```

### PraisonAI Platform cross-workspace nested-resource enumeration (CVE-2026-47407 IDOR)

`UC_164_3` · phase: **actions** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count from datamodel=Web where Web.url="*/api/v1/workspaces/*" (Web.url="*/agents/*" OR Web.url="*/issues/*" OR Web.url="*/projects/*" OR Web.url="*/labels/*" OR Web.url="*/dependencies/*") Web.http_method IN ("GET","PATCH","DELETE") by Web.src, Web.user, Web.url, _time span=10m | `drop_dm_object_name(Web)` | rex field=url "/api/v1/workspaces/(?<url_workspace_id>[0-9a-f-]{36})/(?<resource_kind>agents|issues|projects|labels|dependencies)/(?<inner_id>[0-9a-f-]{36})" | where isnotnull(inner_id) | stats dc(inner_id) as distinct_inner_ids dc(url_workspace_id) as distinct_url_workspaces count as hits values(resource_kind) as kinds by user, src | where distinct_inner_ids >= 15 AND distinct_url_workspaces <= 2 | sort - distinct_inner_ids
```

### PraisonAI Platform open-registration burst followed by workspace privileged action

`UC_164_4` · phase: **delivery** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count from datamodel=Web where Web.url="*/api/v1/*" Web.http_method IN ("POST","PATCH","DELETE") by _time, Web.src, Web.user, Web.url, Web.http_method, Web.status span=1s | `drop_dm_object_name(Web)` | eval is_register=if(like(url,"%/api/v1/auth/register%") AND http_method="POST" AND status>=200 AND status<300,1,0), is_sensitive=if((like(url,"%/api/v1/workspaces/%/members%") OR like(url,"%/api/v1/workspaces/%/agents/%") OR like(url,"%/api/v1/workspaces/%/projects/%")) AND http_method IN ("PATCH","DELETE","POST"),1,0) | stats min(_time) as firstTime max(_time) as lastTime sum(is_register) as register_hits sum(is_sensitive) as sensitive_hits values(url) as urls by src | where register_hits >= 1 AND sensitive_hits >= 1 AND (lastTime - firstTime) <= 600 | sort - lastTime
```

### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR

`UC_164_1` · phase: **exploit** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR ```
| tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where (Processes.process_name IN ("start_server.sh","run_poc_video.sh","poc_cross_workspace_idor.py"))
    by Processes.dest, Processes.user, Processes.process_name,
       Processes.process, Processes.parent_process_name, Processes.process_path
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| append [
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_name IN ("start_server.sh","run_poc_video.sh","poc_cross_workspace_idor.py"))
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
]
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where (FileName in~ ("start_server.sh", "run_poc_video.sh", "poc_cross_workspace_idor.py"))
| project Timestamp, DeviceName, AccountName, FileName,
          FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FileName in~ ("start_server.sh", "run_poc_video.sh", "poc_cross_workspace_idor.py"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-47407`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 8 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.