Skip to main content

PraisonAI Platform CVE-2026-47410

CRITICAL
Use of Hard-coded Cryptographic Key (CWE-321)
2026-05-29 https://github.com/MervinPraison/PraisonAI GHSA-3qg8-5g3r-79v5
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 29, 2026 - 23:23 vuln.today
Analysis Generated
May 29, 2026 - 23:23 vuln.today
CVE Published
May 29, 2026 - 22:42 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORM_JWT_SECRET is unset. A safety check exists but only fires when PLATFORM_ENV != "dev"; the default value of PLATFORM_ENV is "dev", so the check is silently bypassed in any deployment that does not explicitly opt out. The attacker reads the literal from this public source file, mints a JWT with arbitrary sub and email claims, and authenticates as any existing user (including workspace owners and admins). File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137. Root cause: the production-mode guard checks os.environ.get("PLATFORM_ENV", "dev") != "dev" - but the default is "dev", so a clean deployment that just imports the package and runs uvicorn praisonai_platform.api.app:app proceeds with the hardcoded secret. The package documentation does not warn loudly enough that BOTH variables must be set; the guard suppresses itself when either condition is missed. JWT verification at line 129 trusts whatever the token says (sub, email, name) once the HMAC-SHA256 signature validates against the publicly-known secret. Since the verifier accepts forged tokens for any user_id, the attacker becomes that user across every authenticated route.

Affected Code

File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137.

python
_DEFAULT_SECRET = "dev-secret-change-me"
JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET)
# <-- BUG: silent fallback
JWT_ALGORITHM = "HS256"
JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))

if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
    raise RuntimeError(
# <-- only fires if PLATFORM_ENV is non-default
        "PLATFORM_JWT_SECRET must be set to a strong random value in production. "
        "Set PLATFORM_ENV=dev to suppress this check during development."
    )
# ...

def _issue_token(self, user: User) -> str:
    payload = {
        "sub": user.id,
        "email": user.email,
        "name": user.name,
        "iat": now,
        "exp": now + timedelta(seconds=JWT_TTL_SECONDS),
    }
    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
# signs with the hardcoded secret

def _verify_token(self, token: str) -> Optional[AuthIdentity]:
    try:
        payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
# verifies with the hardcoded secret
        return AuthIdentity(
            id=payload["sub"],
# <-- attacker chooses sub
            type="user",
            email=payload.get("email"),
            name=payload.get("name"),
        )
    except jwt.InvalidTokenError:
        return None

Why it's wrong: the guard's predicate is wrong. The intent - "warn loudly if a production deployment ships without setting the secret" - is correct, but the implementation requires the operator to set BOTH variables (PLATFORM_JWT_SECRET and PLATFORM_ENV != "dev") for the guard to fire. A common deployment misconfiguration is to set only one (or neither): pip install praisonai-platform, uvicorn praisonai_platform.api.app:app --host 0.0.0.0, done. The package starts with no warning, the JWT signing key is the literal string sitting in this source file, and any attacker who reads the GitHub repo can forge tokens. The standard pattern is to fail-closed at import time when the secret is the default, regardless of any environment variable. The code at line 32-36 inverts that: it fails-open by default and only fails-closed when the operator opts in.

Exploit Chain

  1. Attacker reads auth_service.py:25 from the public GitHub repo (MervinPraison/PraisonAI) and notes _DEFAULT_SECRET = "dev-secret-change-me". State: attacker holds the JWT signing key.
  2. Attacker identifies a target deployment of praisonai-platform (Shodan search for the FastAPI route /auth/me, the praisonai_platform user-agent, or any indexed installation). Attacker registers a free account at POST /auth/register to confirm the deployment is live and to obtain at least one valid JWT token whose structure they can copy. State: attacker holds a live account.
  3. Attacker enumerates the platform's user IDs via any of the IDOR primitives filed as separate advisories (issue created_by, agent owner_id, comment author_id, member list via the workspace-member-IDOR), or simply queries /auth/me with their own token to learn the UUID format. State: attacker has a target user UUID T_id (e.g. a workspace owner of any tenant).
  4. Attacker forges a JWT:
python
   import jwt, time
   payload = {"sub": "T_id", "email": "victim@example.com", "name": "victim",
              "iat": int(time.time()), "exp": int(time.time()) + 3600}
   token = jwt.encode(payload, "dev-secret-change-me", algorithm="HS256")

State: attacker holds a JWT that the deployment's _verify_token will accept as authentic.

  1. Attacker sends GET /auth/me with Authorization: Bearer <forged_token>. _verify_token decodes the token using JWT_SECRET = "dev-secret-change-me", the HMAC matches, an AuthIdentity(id="T_id", ...) is returned. The route resolves the actual User row by User.id == "T_id" and returns the victim's record. State: attacker is authenticated as the victim.
  2. Attacker pivots: POST /workspaces/{id}/members to add themselves as owner (chaining with the companion priv-esc advisory becomes redundant - the attacker is already the victim), PATCH /workspaces/{id} to flip settings, DELETE /workspaces/{id} to wipe data, or simply GET /workspaces/{id}/issues/... to exfiltrate everything the victim could read.
  3. Final state: full account takeover for any user_id on any deployment that did not explicitly set both PLATFORM_JWT_SECRET and PLATFORM_ENV=production. No prior auth, no user interaction, no special network position required.

Security Impact

Severity: sec-critical. CVSS 9.8: network attack, low complexity, no privileges, no user interaction, scope unchanged (the JWT layer is the same component the attacker pivots through), high confidentiality, high integrity, high availability (chaining with delete_workspace from the companion advisory). Attacker capability: mint a JWT for any user_id on the deployment with the public secret, becoming that user across every authenticated route. No prior authentication required - the attacker only needs the package to be deployed and reachable. This is a pre-auth full account takeover. Preconditions: praisonai-platform is deployed without explicitly setting BOTH PLATFORM_JWT_SECRET AND PLATFORM_ENV=<non-dev>. The default deployment pattern (pip install, uvicorn ...) hits this. The attacker needs network reachability to the API. Differential: source-inspection-verified end-to-end. The asymmetry is between the documented intent of the guard (warn in production) and its actual semantics (warn only when the operator sets PLATFORM_ENV to a non-"dev" value). With the suggested fix below, the guard fails-closed: any deployment that did not set PLATFORM_JWT_SECRET raises at import time, regardless of PLATFORM_ENV. The forged-token attack returns None from _verify_token because the signing key the attacker used ("dev-secret-change-me") no longer matches the deployment's secret.

Suggested Fix

Fail-closed at import time when the secret is the default, irrespective of PLATFORM_ENV. Permit explicit dev-mode opt-in with a separate variable that is NEVER the default.

diff
--- a/src/praisonai-platform/praisonai_platform/services/auth_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/auth_service.py
@@ -23,12 +23,16 @@
 _pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

-_DEFAULT_SECRET = "dev-secret-change-me"
-JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET)
+JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET")
 JWT_ALGORITHM = "HS256"
 JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))

-if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
-    raise RuntimeError(
-        "PLATFORM_JWT_SECRET must be set to a strong random value in production. "
-        "Set PLATFORM_ENV=dev to suppress this check during development."
-    )
+if not JWT_SECRET:
+    if os.environ.get("PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT") != "1":
+        raise RuntimeError(
+            "PLATFORM_JWT_SECRET must be set to a strong random value (min 32 bytes). "
+            "For local development, set PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1 to "
+            "auto-generate an ephemeral random secret per process."
+        )
+    import secrets
+    JWT_SECRET = secrets.token_urlsafe(32)
+
# ephemeral; tokens issued before restart will not validate after restart
+    import warnings
+    warnings.warn("Using ephemeral JWT secret; set PLATFORM_JWT_SECRET in production")

The guard now fails-closed: an unset PLATFORM_JWT_SECRET raises at import unless the operator explicitly opts into dev mode with a separate variable. The dev-mode path generates a per-process random secret instead of using a hardcoded one, so even leaked dev-mode tokens cannot be used against another deployment. Add a startup banner that prints the JWT secret's hash prefix (not the secret itself) so operators can confirm at runtime which key is in use.

AnalysisAI

Pre-authentication full account takeover in praisonai-platform (pip package, versions <= 0.1.2) allows remote unauthenticated attackers to forge JWTs for any user, including workspace owners and admins. The JWT signing key silently falls back to the hardcoded literal 'dev-secret-change-me' from the public GitHub source because the production-mode guard only triggers when PLATFORM_ENV is explicitly set to a non-default value, which default deployments do not do. Publicly available exploit code exists in the GHSA advisory itself, though no public exploit campaign or CISA KEV listing has been reported at time of analysis.

Technical ContextAI

The vulnerability is a CWE-321 (Use of Hard-coded Cryptographic Key) flaw in the Python FastAPI-based praisonai-platform package (pkg:pip/praisonai-platform), specifically in praisonai_platform/services/auth_service.py. The service uses PyJWT with HS256 (HMAC-SHA256), a symmetric algorithm where the same secret signs and verifies tokens. The package reads JWT_SECRET from PLATFORM_JWT_SECRET but falls back to the literal '_DEFAULT_SECRET = "dev-secret-change-me"' present in the public MervinPraison/PraisonAI repository. The intended fail-safe - a RuntimeError when the default secret is used in production - is gated by os.environ.get("PLATFORM_ENV", "dev") != "dev", but because PLATFORM_ENV itself defaults to 'dev', the guard is bypassed unless the operator explicitly sets both variables. Once HMAC verification passes, _verify_token trusts the sub, email, and name claims verbatim to construct an AuthIdentity, so any forged token impersonates the chosen user across every authenticated route.

RemediationAI

Vendor-released patch: upgrade praisonai-platform to 0.1.4 or later via pip install --upgrade praisonai-platform>=0.1.4, per the GHSA-3qg8-5g3r-79v5 advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3qg8-5g3r-79v5. If upgrading immediately is not possible on 0.1.2 or earlier, the minimum compensating control is to set PLATFORM_JWT_SECRET to a strong random value of at least 32 bytes (e.g. python -c 'import secrets; print(secrets.token_urlsafe(32))') AND set PLATFORM_ENV to any non-'dev' value so the guard fails-closed at import; missing either variable leaves the deployment exploitable. Because changing the secret invalidates every previously issued token, expect user-visible logouts and pre-coordinate with downstream services that cache tokens. Additional defensive measures while patching: block public network access to the FastAPI app (restrict to VPN/SSO-fronted ingress), rotate any data that may have been accessed via forged tokens, and audit recent /auth/me, /workspaces/*, and member-mutation requests for forged JWTs signed with the public default secret.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-47410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy