All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-58653
MEDIUMpublished 2026-07-02 13:17 UTC · 2 days ago · modified 2026-07-02 18:47 UTC
5.3
CVSS / 10
// description
PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.
// weaknesses (CWE)
- CWE-639