# [CRIT] [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id} **Source:** GitHub Security Advisories **Published:** 2026-05-29 **Article:** https://github.com/advisories/GHSA-c2m8-4gcg-v22g ## Threat Profile praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id} ## Summary **Type:** Vertical privilege escalation. The `PATCH /workspaces/{workspace_id}/members/{user_id}` endpoint is gated by `require_workspace_member(workspace_id)`, which defaults to `min_role="member"` and is never overridden by the route. The handler then calls `MemberService.update_role(workspace_id, user_id, body.role)` which sets the target member's role t… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47416` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1068** — Exploitation for Privilege Escalation - **T1098** — Account Manipulation - **T1531** — Account Access Removal - **T1136.003** — Create Account: Cloud Account - **T1213** — Data from Information Repositories - **T1530** — Data from Cloud Storage - **T1087.004** — Account Discovery: Cloud Account ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### praisonai-platform CVE-2026-47416: PATCH /workspaces/{id}/members/{user_id} role-change request `UC_162_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as urls values(Web.status) as statuses values(Web.user) as users from datamodel=Web where Web.http_method=PATCH Web.url="*/workspaces/*/members/*" by Web.src Web.user Web.dest Web.http_user_agent | rename Web.* as * | regex url="/workspaces/[^/]+/members/[^/?#]+" | where statuses="200" OR statuses="204" | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` ### praisonai-platform CVE-2026-47416: Member self-promotion + legitimate-owner demotion chain within one hour `UC_162_3` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count values(Web.url) as urls values(Web.status) as statuses min(_time) as firstSeen max(_time) as lastSeen from datamodel=Web where Web.http_method=PATCH Web.url="*/workspaces/*/members/*" Web.status IN (200,204) by Web.src Web.user _time span=1h | rename Web.* as * | where count >= 2 | eval windowMinutes=round((lastSeen-firstSeen)/60,1) | where windowMinutes <= 60 | `drop_dm_object_name(Web)` | `security_content_ctime(firstSeen)` | `security_content_ctime(lastSeen)` ``` ### praisonai-platform CVE-2026-47416: Bulk agent/issue/project/comment enumeration immediately after a workspace role-change PATCH `UC_162_4` · phase: **actions** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as patchTime from datamodel=Web where Web.http_method=PATCH Web.url="*/workspaces/*/members/*" Web.status IN (200,204) by Web.src Web.user | rename Web.* as * | rename src as srcIP user as srcUser | join type=inner srcIP [ | tstats summariesonly=true count as listCount values(Web.url) as listUrls min(_time) as firstList max(_time) as lastList from datamodel=Web where Web.http_method=GET (Web.url="*/workspaces/*/agents*" OR Web.url="*/workspaces/*/issues*" OR Web.url="*/workspaces/*/projects*" OR Web.url="*/workspaces/*/comments*") by Web.src | rename Web.src as srcIP Web.* as * ] | where firstList >= patchTime AND firstList <= patchTime + 900 AND listCount >= 10 | eval delaySec = firstList - patchTime | table patchTime, firstList, delaySec, srcIP, srcUser, listCount, listUrls ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can p `UC_162_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can p ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("deps.py","member_service.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("deps.py","member_service.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can p // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("deps.py", "member_service.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("deps.py", "member_service.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47416` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 9 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.