PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-61440 MervinPraison CVE debrief

CVE-2026-61440: PraisonAI Platform before 0.1.9 has a vulnerability that allows workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. This is due to a lack of proper authorization for label and issue-label mutations. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Users of PraisonAI Platform before version 0.1.9 should be aware of this vulnerability and take steps to mitigate it.

Vendor
MervinPraison
Product
PraisonAI
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-18
Advisory published
2026-07-15
Advisory updated
2026-07-18

Who should care

Users of PraisonAI Platform before version 0.1.9 should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.1.9 or later, restricting workspace member privileges to prevent unauthorized label and issue-label mutations, and monitoring for suspicious activity related to label and issue-label changes. Security teams and platform operators should review the vulnerability details and assess their exposure.

Technical summary

The PraisonAI Platform before version 0.1.9 has a vulnerability that allows workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. This is due to a lack of proper authorization for label and issue-label mutations. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. The CVE record was published on 2026-07-15T12:18:19.170Z and was last modified on 2026-07-18T02:17:10.270Z.

Defensive priority

High

Recommended defensive actions

  • Update PraisonAI Platform to version 0.1.9 or later
  • Restrict workspace member privileges to prevent unauthorized label and issue-label mutations
  • Monitor for suspicious activity related to label and issue-label changes
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-15T12:18:19.170Z and was last modified on 2026-07-18T02:17:10.270Z. The NVD entry is currently Deferred. This vulnerability affects PraisonAI Platform before version 0.1.9, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues due to improper authorization for label and issue-label mutations. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T12:18:19.170Z and has not been modified since then. The NVD entry is currently Deferred.