Auth bypass in Mervinpraison Praisonai
CVE-2026-60087
PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation…
Vulnerability class: Broken Access Control
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L.
Affected products
- Mervinpraison Praisonai — versions 0, 1.6.78
Weakness classification (CWE)
References
- disclosure@vulncheck.com (vendor-advisory)
- disclosure@vulncheck.com (third-party-advisory)
Frequently asked questions
- What is CVE-2026-60087?
- CVE-2026-60087 is a medium-severity vulnerability in Mervinpraison Praisonai, classified under Incorrect Authorization. CVSS score: 6.1/10. Published 2026-07-15.
- How severe is CVE-2026-60087?
- Medium severity. CVSS v3 base score is 6.1 out of 10.