CVE Catalog

CVE-2026-58653

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile — higher than 5% of all known CVEs

Summary

PraisonAI before version 0.1.7 fails to validate that the project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.

Risk Assessment

The organization is at risk of cross-tenant data pollution, leading to incorrect project statistics and potential information leakage between workspaces.

Recommendation

Immediately update PraisonAI to version 0.1.7 or later, which includes a fix that validates the project_id belongs to the workspace.

Original NVD description (English source)

PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS