{"id":"PYSEC-2026-481","summary":"praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}","details":"## Summary\n\n**Type:** Vertical privilege escalation. The `PATCH /workspaces/{workspace_id}/members/{user_id}` endpoint is gated by `require_workspace_member(workspace_id)`, which defaults to `min_role=\"member\"` and is never overridden by the route. The handler then calls `MemberService.update_role(workspace_id, user_id, body.role)` which sets the target member's role to whatever the request body specifies, with no check that the caller has owner-or-admin privilege, no check that the new role is not higher than the caller's own, and no check that the caller is not silently promoting themselves.\n **File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 115-127; `services/member_service.py`, lines 55-69; `api/deps.py`, lines 54-73.\n **Root cause:** `require_workspace_member` exists with a `min_role` parameter (deps.py:58) but FastAPI's `Depends(require_workspace_member)` cannot pass arguments, so every route uses the default `\"member\"`. The route then passes the URL-supplied `user_id` and the body-supplied `role` directly to `MemberService.update_role`, which contains zero permission checks: it loads the member by composite key and assigns `member.role = new_role`. A user with the lowest possible privilege (\"member\") thus sets their own role to \"owner\" with one HTTP PATCH, completing a member-to-owner privilege escalation in a single request.\n\n## Affected Code\n\n**File 1:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 115-127.\n\n```python\n@router.patch(\"/{workspace_id}/members/{user_id}\", response_model=MemberResponse)\nasync def update_member_role(\n    workspace_id: str,\n    user_id: str,\n    body: MemberUpdate,\n    user: AuthIdentity = Depends(require_workspace_member),         # \u003c-- BUG: defaults to min_role=\"member\"; no role gate\n    session: AsyncSession = Depends(get_db),\n):\n    member_svc = MemberService(session)\n    member = await member_svc.update_role(workspace_id, user_id, body.role)  # \u003c-- writes any role to any member\n    if member is None:\n        raise HTTPException(status_code=404, detail=\"Member not found\")\n    return MemberResponse.model_validate(member)\n ```\n\n**File 2:** `src/praisonai-platform/praisonai_platform/services/member_service.py`, lines 55-69.\n\n```python\nasync def update_role(\n    self,\n    workspace_id: str,\n    user_id: str,\n    new_role: str,\n) -\u003e Optional[Member]:\n    \"\"\" Update a member's role.\"\"\"\n    if new_role not in VALID_ROLES:                                  # only validates the *value*, not the *caller's right*\n        raise ValueError(f\"Invalid role: {new_role}. Must be one of {VALID_ROLES}\")\n    member = await self.get(workspace_id, user_id)\n    if member is None:\n        return None\n    member.role = new_role                                           # \u003c-- BUG: no caller-role check, no target-vs-caller hierarchy check\n    await self._session.flush()\n    return member\n```\n\n**File 3:** `src/praisonai-platform/praisonai_platform/api/deps.py`, lines 54-73.\n\n```python\nasync def require_workspace_member(\n    workspace_id: str,\n    user: AuthIdentity = Depends(get_current_user),\n    session: AsyncSession = Depends(get_db),\n    min_role: str = \"member\",                                        # \u003c-- default that no route overrides\n) -\u003e AuthIdentity:\n    member_svc = MemberService(session)\n    has = await member_svc.has_role(workspace_id, user.id, min_role)\n    if not has:\n        raise HTTPException(status_code=403, detail=\"Not a member of this workspace or insufficient role\")\n    user.workspace_id = workspace_id\n    return user\n```\n\n**Why it's wrong:** `require_workspace_member` was clearly designed to be tunable per-route — the `min_role` parameter is right there — but `Depends(require_workspace_member)` in FastAPI cannot pass arguments to a dependency, so every route resolves to the default `\"member\"`. The author's intent is also evident in `MemberService.has_role` (member_service.py:80-96), which implements an `owner \u003e admin \u003e member` hierarchy that this endpoint should be enforcing. The endpoint uses none of it. The `VALID_ROLES = {\"owner\", \"admin\", \"member\"}` enum check (member_service.py:62) only validates the *new role string is recognised*, not that the *caller has the right to assign it*. As a result, a member can write `{\"role\": \"owner\"}` to their own membership row and become owner in one PATCH.\n \n## Exploit Chain\n\n1. Attacker registers an account and joins (or is invited to) any workspace `W` as a \"member\" (the lowest privilege tier — typically anyone can be added by an owner during onboarding, or self-joins via an invite link). State: attacker has a JWT, is a `Member(workspace_id=W, user_id=attacker, role=\"member\")`.\n2. Attacker sends `PATCH /workspaces/W/members/\u003cattacker_user_id\u003e` with `Authorization: Bearer \u003cattacker_jwt\u003e` and body `{\"role\": \"owner\"}`. State: control flow enters `update_member_role`.\n3. `require_workspace_member(W, attacker)` runs. Its default `min_role=\"member\"` is satisfied because the attacker is a member. The dependency returns the attacker's identity. State: route handler proceeds with no further role gate.\n4. `MemberService.update_role(W, attacker, \"owner\")` runs. `VALID_ROLES` accepts `\"owner\"`. `self.get(W, attacker)` returns the attacker's existing member row. The next line, `member.role = \"owner\"`, mutates the attacker's role in place. `await self._session.flush()` commits. State: attacker is now `Member(workspace_id=W, user_id=attacker, role=\"owner\")`.\n5. Attacker re-issues `GET /auth/me` (or any owner-gated endpoint) and is now treated as workspace owner. State: full administrative control of the workspace, including the ability to add/remove members, change settings, delete the workspace, and exfiltrate everything via the agent/issue/project/comment IDORs that were filed as separate advisories.\n6. Final state: starting from the lowest workspace privilege, the attacker holds owner of the workspace within one HTTP request. The same primitive also lets the attacker DEMOTE the legitimate owner by sending `PATCH /workspaces/W/members/\u003cowner_user_id\u003e` with `{\"role\": \"member\"}` — owner lockout in two requests total.\n\n## Security Impact\n\n**Severity:** sec-critical. CVSS 9.1: network attack, low complexity, low privileges (the lowest tier on the platform), no user interaction, scope changed (the privilege boundary the attacker crosses is the workspace owner, a different security principal), high confidentiality and integrity (full workspace control), no availability claim (the attacker can also DELETE the workspace via the companion `delete_workspace` advisory, but that is a separate finding).\n**Attacker capability:** with one workspace-member token plus one PATCH request, the attacker becomes workspace owner. From there: add/remove any user as owner, change every workspace setting (including the `settings` JSON blob), demote the legitimate owner to \"member\", or chain into the companion `delete_workspace` advisory to wipe the workspace entirely. In multi-tenant SaaS deployments where any signup yields a member-level account in some default workspace, this is effectively pre-auth.\n**Preconditions:** `praisonai-platform` is deployed multi-tenant (more than one workspace exists OR the deployment grants member access on signup); the attacker has any membership token in the target workspace.\n**Differential:** source-inspection-verified end-to-end. The asymmetry between `require_workspace_member`'s `min_role` parameter (which exists, defaults to \"member\", and is never overridden) and `MemberService.has_role`'s clearly tiered `owner \u003e admin \u003e member` hierarchy (which exists but is never invoked with anything but the default) is the smoking gun. With the suggested fix below, the route resolves with `min_role=\"owner\"`, the attacker's member-level token fails the gate at the dependency, and the privilege escalation never reaches the service layer.\n\n## Suggested Fix\n\nThe fix has two parts. First, the route must resolve `require_workspace_member` with `min_role=\"owner\"` (or at least `\"admin\"`). Second, `MemberService.update_role` should refuse to set a target's role higher than the caller's own role, so that an admin cannot accidentally produce another owner.\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n +++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n@@ -115,11 +115,16 @@\n+def _require_owner(workspace_id: str, user, session):\n+    return require_workspace_member(workspace_id, user, session, min_role=\"owner\")\n+\n @router.patch(\"/{workspace_id}/members/{user_id}\", response_model=MemberResponse)\n async def update_member_role(\n     workspace_id: str,\n     user_id: str,\n     body: MemberUpdate,\n-    user: AuthIdentity = Depends(require_workspace_member),\n+    user: AuthIdentity = Depends(_require_owner),\n     session: AsyncSession = Depends(get_db),\n ):\n     member_svc = MemberService(session)\n+    if not await member_svc.has_role(workspace_id, user.id, \"owner\"):\n+        raise HTTPException(status_code=403, detail=\"Only owners can change member roles\")\n     member = await member_svc.update_role(workspace_id, user_id, body.role)\n```\n\nDefence-in-depth in the service layer:\n\n```diff\n --- a/src/praisonai-platform/praisonai_platform/services/member_service.py\n+++ b/src/praisonai-platform/praisonai_platform/services/member_service.py\n@@ -55,7 +55,7 @@\n-    async def update_role(self, workspace_id: str, user_id: str, new_role: str) -\u003e Optional[Member]:\n+    async def update_role(self, workspace_id: str, caller_id: str, user_id: str, new_role: str) -\u003e Optional[Member]:\n         \"\"\"Update a member's role.\"\"\"\n+        if not await self.has_role(workspace_id, caller_id, \"owner\"):\n+            raise PermissionError(\"Only owners can update member roles\")\n         if new_role not in VALID_ROLES:\n             raise ValueError(...)\n ```\n\nThe companion endpoints `add_member`, `remove_member`, `delete_workspace`, and `update_workspace` exhibit the same `Depends(require_workspace_member)` default-min-role pattern and are filed as their own advisories so each gets a separate CVE.","aliases":["CVE-2026-47416","GHSA-c2m8-4gcg-v22g"],"modified":"2026-07-01T20:23:01.018489Z","published":"2026-06-29T11:50:49.130266Z","references":[{"type":"WEB","url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-c2m8-4gcg-v22g"},{"type":"PACKAGE","url":"https://github.com/MervinPraison/PraisonAI"},{"type":"PACKAGE","url":"https://pypi.org/project/praisonai-platform"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-c2m8-4gcg-v22g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47416"}],"affected":[{"package":{"name":"praisonai-platform","ecosystem":"PyPI","purl":"pkg:pypi/praisonai-platform"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.1.4"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/praisonai-platform/PYSEC-2026-481.yaml","last_known_affected_version_range":"\u003c= 0.1.2"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}]}