CVE-2026-58653

Summary

PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.

Affected Software

VendorProductVersion RangeStatus
PraisonAIPraisonAI0 < 0.1.7affected
PraisonAIPraisonAI0.1.7unaffected

Weaknesses

  • CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References