CVE-2026-58653
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
PraisonAI before version 0.1.7 fails to validate that the project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.
Risk Assessment
The organization is at risk of cross-tenant data pollution, leading to incorrect project statistics and potential information leakage between workspaces.
Recommendation
Immediately update PraisonAI to version 0.1.7 or later, which includes a fix that validates the project_id belongs to the workspace.
Original NVD description (English source)
PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.

