python · praisonai-platformHeads-up
praisonai-platform: Cross-tenant integrity violation in issue endpoints
Issue create and update endpoints accept a project_id in the request body without validating that the project belongs to the URL workspace, allowing cross-tenan
What changed
Issue create and update endpoints accept a project_id in the request body without validating that the project belongs to the URL workspace, allowing cross-tenant integrity violation.
Who it affects
Users of praisonai-platform who rely on project statistics for accurate issue counts; any workspace member can inject foreign issues into another workspace's project stats.
What to do today
Validate that body-supplied project_id, parent_issue_id, and assignee_id belong to the workspace before persisting, and scope get_stats to filter by workspace_id.
The trail
Collected→
Audited→
Written→
Published