Search criteria
Related vulnerabilities
GHSA-27P4-PJQV-WHGJ
Vulnerability from github – Published: 2026-05-29 22:34 – Updated: 2026-05-29 22:34Summary
Type: Insecure Direct Object Reference. The GET /workspaces/{workspace_id}/issues/{issue_id}/activity endpoint is gated by require_workspace_member(workspace_id) and dispatches to ActivityService.list_for_issue(issue_id), which executes SELECT * FROM activity WHERE issue_id = :issue_id with no workspace constraint. A user who is a member of any workspace can read the full activity log of any issue across the entire multi-tenant deployment.
File: src/praisonai-platform/praisonai_platform/api/routes/activity.py, lines 32-43; services/activity_service.py's list_for_issue method.
Root cause: the route extracts workspace_id from the URL path, uses it solely for the membership gate, then passes the URL-supplied issue_id directly to ActivityService.list_for_issue(issue_id) without verifying which workspace the issue belongs to. The companion list_workspace_activity endpoint at line 19-29 is implemented correctly (it passes workspace_id to svc.list_for_workspace(workspace_id)) — the asymmetry is the smoking gun.
Affected Code
File: src/praisonai-platform/praisonai_platform/api/routes/activity.py, lines 19-43.
@router.get("/activity", response_model=List[ActivityLogResponse])
async def list_workspace_activity(
workspace_id: str,
limit: int = Query(50, ge=1, le=200),
offset: int = Query(0, ge=0),
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = ActivityService(session)
logs = await svc.list_for_workspace(workspace_id, limit=limit, offset=offset) # correct: passes workspace_id
return [ActivityLogResponse.model_validate(log) for log in logs]
@router.get("/issues/{issue_id}/activity", response_model=List[ActivityLogResponse])
async def list_issue_activity(
workspace_id: str,
issue_id: str,
limit: int = Query(50, ge=1, le=200),
offset: int = Query(0, ge=0),
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = ActivityService(session)
logs = await svc.list_for_issue(issue_id, limit=limit, offset=offset) # <-- BUG: no workspace_id
return [ActivityLogResponse.model_validate(log) for log in logs]
Why it's wrong: activity logs are typically the most sensitive operational record — they include actor identity, action type, entity references, and a free-form details JSON blob that may contain pre-/post-change values for any tracked field. Reading the foreign workspace's activity log gives the attacker a high-fidelity view into who did what when, which is gold for further reconnaissance (cross-workspace member enumeration, foreign issue title disclosure, knowing which projects exist). The same author got list_workspace_activity right by passing workspace_id — the issue-scoped variant is the gap.
Exploit Chain
- Attacker is a member of workspace
W_attackerand harvests a target issue UUIDI_Tfrom any side channel. State: attacker holdsI_T. - Attacker sends
GET /workspaces/W_attacker/issues/I_T/activity?limit=200withAuthorization: Bearer <attacker_jwt>. State: control flow enterslist_issue_activity. require_workspace_member(W_attacker, attacker)passes.ActivityService.list_for_issue(I_T)runsSELECT * FROM activity WHERE issue_id = 'I_T' ORDER BY created_at DESC LIMIT 200. State: response body is the full activity log for the foreign issue.- The activity entries reveal: every actor (member or agent) who touched the issue, every action (created, updated, commented, status_changed, assignee_changed, project_changed, label_added, dependency_added), and the
detailsJSON blob containing the before/after values of every change. State: the attacker fingerprints the foreign workspace's triage workflow, identifies who works on what, and sees the issue's complete history including any embedded secrets that ever passed through the description or comments. - Final state: with one workspace-member token plus one GET, the attacker reads the full activity timeline of any issue in the multi-tenant deployment given the issue UUIDs.
Security Impact
Severity: sec-moderate. CVSS 6.5: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (full activity log including before/after details), no integrity claim (read-only), no availability claim.
Attacker capability: read the activity log of any issue in the deployment given its UUID. Combined with the companion issue-IDOR (which already gives full issue content), this is recon for the foreign workspace's operational tempo, member identity, and triage workflow.
Preconditions: praisonai-platform is deployed multi-tenant; attacker has any workspace-membership token; foreign issue UUIDs are reachable.
Differential: source-inspection-verified. The asymmetry between list_workspace_activity (correctly workspace-scoped) and list_issue_activity (no workspace check) confirms the gap. With the suggested fix below, the route first resolves the issue via IssueService.get(workspace_id, issue_id), returns 404 for foreign issues, and only then proceeds.
Suggested Fix
--- a/src/praisonai-platform/praisonai_platform/api/routes/activity.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/activity.py
@@ -32,9 +32,12 @@
@router.get("/issues/{issue_id}/activity", response_model=List[ActivityLogResponse])
async def list_issue_activity(
workspace_id: str,
issue_id: str,
limit: int = Query(50, ge=1, le=200),
offset: int = Query(0, ge=0),
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
+ issue_svc = IssueService(session)
+ if await issue_svc.get(workspace_id, issue_id) is None: # workspace-scoped get from issue-IDOR companion
+ raise HTTPException(status_code=404, detail="Issue not found")
svc = ActivityService(session)
logs = await svc.list_for_issue(issue_id, limit=limit, offset=offset)
return [ActivityLogResponse.model_validate(log) for log in logs]
The same single-key issue lookup pattern is filed separately as the IssueService IDOR; once that is fixed, the helper used here is just IssueService.get(workspace_id, issue_id).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.2"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47408"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:34:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n**Type:** Insecure Direct Object Reference. The `GET /workspaces/{workspace_id}/issues/{issue_id}/activity` endpoint is gated by `require_workspace_member(workspace_id)` and dispatches to `ActivityService.list_for_issue(issue_id)`, which executes `SELECT * FROM activity WHERE issue_id = :issue_id` with no workspace constraint. A user who is a member of any workspace can read the full activity log of any issue across the entire multi-tenant deployment.\n**File:** `src/praisonai-platform/praisonai_platform/api/routes/activity.py`, lines 32-43; `services/activity_service.py`\u0027s `list_for_issue` method.\n\n**Root cause:** the route extracts `workspace_id` from the URL path, uses it solely for the membership gate, then passes the URL-supplied `issue_id` directly to `ActivityService.list_for_issue(issue_id)` without verifying which workspace the issue belongs to. The companion `list_workspace_activity` endpoint at line 19-29 is implemented correctly (it passes `workspace_id` to `svc.list_for_workspace(workspace_id)`) \u2014 the asymmetry is the smoking gun.\n\n## Affected Code\n\n**File:** `src/praisonai-platform/praisonai_platform/api/routes/activity.py`, lines 19-43.\n\n```python\n@router.get(\"/activity\", response_model=List[ActivityLogResponse])\nasync def list_workspace_activity(\n workspace_id: str,\n limit: int = Query(50, ge=1, le=200),\n offset: int = Query(0, ge=0),\n user: AuthIdentity = Depends(require_workspace_member),\n session: AsyncSession = Depends(get_db),\n):\n svc = ActivityService(session)\n logs = await svc.list_for_workspace(workspace_id, limit=limit, offset=offset) # correct: passes workspace_id\n return [ActivityLogResponse.model_validate(log) for log in logs]\n\n\n@router.get(\"/issues/{issue_id}/activity\", response_model=List[ActivityLogResponse])\nasync def list_issue_activity(\n workspace_id: str,\n issue_id: str,\n limit: int = Query(50, ge=1, le=200),\n offset: int = Query(0, ge=0),\n user: AuthIdentity = Depends(require_workspace_member),\n session: AsyncSession = Depends(get_db),\n):\n svc = ActivityService(session)\n logs = await svc.list_for_issue(issue_id, limit=limit, offset=offset) # \u003c-- BUG: no workspace_id\n return [ActivityLogResponse.model_validate(log) for log in logs]\n```\n\n**Why it\u0027s wrong:** activity logs are typically the most sensitive operational record \u2014 they include actor identity, action type, entity references, and a free-form `details` JSON blob that may contain pre-/post-change values for any tracked field. Reading the foreign workspace\u0027s activity log gives the attacker a high-fidelity view into who did what when, which is gold for further reconnaissance (cross-workspace member enumeration, foreign issue title disclosure, knowing which projects exist). The same author got `list_workspace_activity` right by passing `workspace_id` \u2014 the issue-scoped variant is the gap.\n\n## Exploit Chain\n\n1. Attacker is a member of workspace `W_attacker` and harvests a target issue UUID `I_T` from any side channel. State: attacker holds `I_T`.\n2. Attacker sends `GET /workspaces/W_attacker/issues/I_T/activity?limit=200` with `Authorization: Bearer \u003cattacker_jwt\u003e`. State: control flow enters `list_issue_activity`.\n3. `require_workspace_member(W_attacker, attacker)` passes. `ActivityService.list_for_issue(I_T)` runs `SELECT * FROM activity WHERE issue_id = \u0027I_T\u0027 ORDER BY created_at DESC LIMIT 200`. State: response body is the full activity log for the foreign issue.\n4. The activity entries reveal: every actor (member or agent) who touched the issue, every action (created, updated, commented, status_changed, assignee_changed, project_changed, label_added, dependency_added), and the `details` JSON blob containing the before/after values of every change. State: the attacker fingerprints the foreign workspace\u0027s triage workflow, identifies who works on what, and sees the issue\u0027s complete history including any embedded secrets that ever passed through the description or comments.\n5. Final state: with one workspace-member token plus one GET, the attacker reads the full activity timeline of any issue in the multi-tenant deployment given the issue UUIDs.\n\n## Security Impact\n\n**Severity:** sec-moderate. CVSS 6.5: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (full activity log including before/after `details`), no integrity claim (read-only), no availability claim.\n\n**Attacker capability:** read the activity log of any issue in the deployment given its UUID. Combined with the companion issue-IDOR (which already gives full issue content), this is recon for the foreign workspace\u0027s operational tempo, member identity, and triage workflow.\n\n**Preconditions:** `praisonai-platform` is deployed multi-tenant; attacker has any workspace-membership token; foreign issue UUIDs are reachable.\n\n**Differential:** source-inspection-verified. The asymmetry between `list_workspace_activity` (correctly workspace-scoped) and `list_issue_activity` (no workspace check) confirms the gap. With the suggested fix below, the route first resolves the issue via `IssueService.get(workspace_id, issue_id)`, returns 404 for foreign issues, and only then proceeds.\n\n## Suggested Fix\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/api/routes/activity.py\n+++ b/src/praisonai-platform/praisonai_platform/api/routes/activity.py\n@@ -32,9 +32,12 @@\n @router.get(\"/issues/{issue_id}/activity\", response_model=List[ActivityLogResponse])\n async def list_issue_activity(\n workspace_id: str,\n issue_id: str,\n limit: int = Query(50, ge=1, le=200),\n offset: int = Query(0, ge=0),\n user: AuthIdentity = Depends(require_workspace_member),\n session: AsyncSession = Depends(get_db),\n ):\n+ issue_svc = IssueService(session)\n+ if await issue_svc.get(workspace_id, issue_id) is None: # workspace-scoped get from issue-IDOR companion\n+ raise HTTPException(status_code=404, detail=\"Issue not found\")\n svc = ActivityService(session)\n logs = await svc.list_for_issue(issue_id, limit=limit, offset=offset)\n return [ActivityLogResponse.model_validate(log) for log in logs]\n```\n\nThe same single-key issue lookup pattern is filed separately as the IssueService IDOR; once that is fixed, the helper used here is just `IssueService.get(workspace_id, issue_id)`.",
"id": "GHSA-27p4-pjqv-whgj",
"modified": "2026-05-29T22:34:08Z",
"published": "2026-05-29T22:34:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-27p4-pjqv-whgj"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership"
}