{"data":{"id":"dcefb1f7-f45e-43b9-a316-d25dc5a49222","title":"GHSA-rcmc-q9rj-4wmq: praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}","summary":"The `PATCH /workspaces/{id}` endpoint in praisonai-platform allows any workspace member to change the workspace's name, description, and settings (a free-form JSON configuration object) because it only checks that the user is a member, not that they have owner-level permissions. This is dangerous because attackers could inject malicious settings that could redirect API calls to attacker-controlled servers, disable logging, or change other critical configurations depending on what the platform reads from the settings field.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-rcmc-q9rj-4wmq","publishedAt":"2026-06-01T14:23:08.000Z","cveId":"CVE-2026-47411","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["praisonai-platform@< 0.1.4 (fixed: 0.1.4)"],"affectedVendors":[],"affectedVendorsRaw":["PraisonAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-01T14:23:08.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}