praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset
Description
Summary
Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORM_JWT_SECRET is unset. A safety check exists but only fires when PLATFORM_ENV != "dev"; the default value of PLATFORM_ENV is "dev", so the check is silently bypassed in any deployment that does not explicitly opt out. The attacker reads the literal from this public source file, mints a JWT with arbitrary sub and email claims, and authenticates as any existing user (including workspace owners and admins). File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137. Root cause: the production-mode guard checks os.environ.get("PLATFORM_ENV", "dev") != "dev" — but the default is "dev", so a clean deployment that just imports the package and runs uvicorn praisonai_platform.api.app:app proceeds with the hardcoded secret. The package documentation does not warn loudly enough that BOTH variables must be set; the guard suppresses itself when either condition is missed. JWT verification at line 129 trusts whatever the token says (sub, email, name) once the HMAC-SHA256 signature validates against the publicly-known secret. Since the verifier accepts forged tokens for any user_id, the attacker becomes that user across every authenticated route.
Affected
Code
File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137.
_DEFAULT_SECRET = "dev-secret-change-me"
JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET) # <-- BUG: silent fallback
JWT_ALGORITHM = "HS256"
JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))
if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
raise RuntimeError( # <-- only fires if PLATFORM_ENV is non-default
"PLATFORM_JWT_SECRET must be set to a strong random value in production. "
"Set PLATFORM_ENV=dev to suppress this check during development."
)
# ...
def _issue_token(self, user: User) -> str:
payload = {
"sub": user.id,
"email": user.email,
"name": user.name,
"iat": now,
"exp": now + timedelta(seconds=JWT_TTL_SECONDS),
}
return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM) # signs with the hardcoded secret
def _verify_token(self, token: str) -> Optional[AuthIdentity]:
try:
payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM]) # verifies with the hardcoded secret
return AuthIdentity(
id=payload["sub"], # <-- attacker chooses sub
type="user",
email=payload.get("email"),
name=payload.get("name"),
)
except jwt.InvalidTokenError:
return None
Why it's wrong: the guard's predicate is wrong. The intent — "warn loudly if a production deployment ships without setting the secret" — is correct, but the implementation requires the operator to set BOTH variables (PLATFORM_JWT_SECRET and PLATFORM_ENV != "dev") for the guard to fire. A common deployment misconfiguration is to set only one (or neither): pip install praisonai-platform, uvicorn praisonai_platform.api.app:app --host 0.0.0.0, done. The package starts with no warning, the JWT signing key is the literal string sitting in this source file, and any attacker who reads the GitHub repo can forge tokens. The standard pattern is to fail-closed at import time when the secret is the default, regardless of any environment variable. The code at line 32-36 inverts that: it fails-open by default and only fails-closed when the operator opts in.
Exploit
Chain
1. Attacker reads auth_service.py:25 from the public GitHub repo (MervinPraison/PraisonAI) and notes _DEFAULT_SECRET = "dev-secret-change-me". State: attacker holds the JWT signing key. 2. Attacker identifies a target deployment of praisonai-platform (Shodan search for the FastAPI route /auth/me, the praisonai_platform user-agent, or any indexed installation). Attacker registers a free account at POST /auth/register to confirm the deployment is live and to obtain at least one valid JWT token whose structure they can copy. State: attacker holds a live account. 3. Attacker enumerates the platform's user IDs via any of the IDOR primitives filed as separate advisories (issue created_by, agent owner_id, comment author_id, member list via the workspace-member-IDOR), or simply queries /auth/me with their own token to learn the UUID format. State: attacker has a target user UUID T_id (e.g. a workspace owner of any tenant). 4. Attacker forges a JWT: ``python import jwt, time payload = {"sub": "T_id", "email": "victim@example.com", "name": "victim", "iat": int(time.time()), "exp": int(time.time()) + 3600} token = jwt.encode(payload, "dev-secret-change-me", algorithm="HS256") ``
State: attacker holds a JWT that the deployment's _verify_token will accept as authentic. 5. Attacker sends GET /auth/me with Authorization: Bearer <forged_token>. _verify_token decodes the token using JWT_SECRET = "dev-secret-change-me", the HMAC matches, an AuthIdentity(id="T_id", ...) is returned. The route resolves the actual User row by User.id == "T_id" and returns the victim's record. State: attacker is authenticated as the victim. 6. Attacker pivots: POST /workspaces/{id}/members to add themselves as owner (chaining with the companion priv-esc advisory becomes redundant — the attacker is already the victim), PATCH /workspaces/{id} to flip settings, DELETE /workspaces/{id} to wipe data, or simply GET /workspaces/{id}/issues/... to exfiltrate everything the victim could read. 7. Final state: full account takeover for any user_id on any deployment that did not explicitly set both PLATFORM_JWT_SECRET and PLATFORM_ENV=production. No prior auth, no user interaction, no special network position required.
Security
Impact
Severity: sec-critical. CVSS 9.8: network attack, low complexity, no privileges, no user interaction, scope unchanged (the JWT layer is the same component the attacker pivots through), high confidentiality, high integrity, high availability (chaining with delete_workspace from the companion advisory). Attacker capability: mint a JWT for any user_id on the deployment with the public secret, becoming that user across every authenticated route. No prior authentication required — the attacker only needs the package to be deployed and reachable. This is a pre-auth full account takeover. Preconditions: praisonai-platform is deployed without explicitly setting BOTH PLATFORM_JWT_SECRET AND PLATFORM_ENV=. The default deployment pattern (pip install, uvicorn ...) hits this. The attacker needs network reachability to the API. Differential: source-inspection-verified end-to-end. The asymmetry is between the documented intent of the guard (warn in production) and its actual semantics (warn only when the operator sets PLATFORM_ENV to a non-"dev" value). With the suggested fix below, the guard fails-closed: any deployment that did not set PLATFORM_JWT_SECRET raises at import time, regardless of PLATFORM_ENV. The forged-token attack returns None from _verify_token because the signing key the attacker used ("dev-secret-change-me") no longer matches the deployment's secret.
Suggested
Fix
Fail-closed at import time when the secret is the default, irrespective of PLATFORM_ENV. Permit explicit dev-mode opt-in with a separate variable that is NEVER the default.
--- a/src/praisonai-platform/praisonai_platform/services/auth_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/auth_service.py
@@ -23,12 +23,16 @@
_pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-_DEFAULT_SECRET = "dev-secret-change-me"
-JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET)
+JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET")
JWT_ALGORITHM = "HS256"
JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))
-if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
- raise RuntimeError(
- "PLATFORM_JWT_SECRET must be set to a strong random value in production. "
- "Set PLATFORM_ENV=dev to suppress this check during development."
- )
+if not JWT_SECRET:
+ if os.environ.get("PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT") != "1":
+ raise RuntimeError(
+ "PLATFORM_JWT_SECRET must be set to a strong random value (min 32 bytes). "
+ "For local development, set PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1 to "
+ "auto-generate an ephemeral random secret per process."
+ )
+ import secrets
+ JWT_SECRET = secrets.token_urlsafe(32)
+ # ephemeral; tokens issued before restart will not validate after restart
+ import warnings
+ warnings.warn("Using ephemeral JWT secret; set PLATFORM_JWT_SECRET in production")
The guard now fails-closed: an unset PLATFORM_JWT_SECRET raises at import unless the operator explicitly opts into dev mode with a separate variable. The dev-mode path generates a per-process random secret instead of using a hardcoded one, so even leaked dev-mode tokens cannot be used against another deployment. Add a startup banner that prints the JWT secret's hash prefix (not the secret itself) so operators can confirm at runtime which key is in use.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The JWT signing secret defaults to a hardcoded literal, allowing remote attackers to forge authentication tokens and impersonate any user in PraisonAI platform deployments.
Vulnerability
The JWT signing secret in auth_service.py (lines 25–36) defaults to the hardcoded literal "dev-secret-change-me" when the environment variable PLATFORM_JWT_SECRET is not set [1][2]. A safety check exists that raises a RuntimeError if PLATFORM_ENV is not "dev", but the default value of PLATFORM_ENV is "dev", so the check is silently bypassed in any deployment that does not explicitly change PLATFORM_ENV [1][2]. This affects all versions of the praisonai-platform package prior to the fix.
Exploitation
An attacker can read the hardcoded secret from the public source code (the praisonai-platform repository) [1][2]. With this secret, the attacker can forge a JWT with arbitrary sub and email claims and sign it using HMAC-SHA256 [1][2]. The forged token is then sent to the server, where the JWT verification at line 129 trusts the claims once the signature validates against the known secret. No prior authentication or network position is required beyond network access to the server [1][2].
Impact
Successful exploitation allows the attacker to authenticate as any existing user, including workspace owners and administrators [1][2]. This grants full access to all authenticated routes and functionality, leading to complete compromise of the application’s user accounts and associated data [1][2]. The impact includes complete loss of confidentiality, integrity, and availability for the affected system.
Mitigation
No patched version has been disclosed in the available references. The only mitigation is to explicitly set the PLATFORM_JWT_SECRET environment variable to a strong, random value in all deployments, and ensure that PLATFORM_ENV is set to a value other than "dev" in production environments to enable the safety check [1][2]. Users should also rotate any existing tokens after applying the secret change.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
praisonai-platformPyPI | < 0.1.4 | 0.1.4 |
Affected products
2Patches
26db5e3206358Fixing a bug for custom tool
6 files changed · +25 −18
Dockerfile+1 −1 modified@@ -1,6 +1,6 @@ FROM python:3.11-slim WORKDIR /app COPY . . -RUN pip install flask praisonai==0.1.2 gunicorn markdown +RUN pip install flask praisonai==0.1.3 gunicorn markdown EXPOSE 8080 CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]
docs/api/praisonai/deploy.html+1 −1 modified@@ -110,7 +110,7 @@ <h2 id="raises">Raises</h2> file.write("FROM python:3.11-slim\n") file.write("WORKDIR /app\n") file.write("COPY . .\n") - file.write("RUN pip install flask praisonai==0.1.2 gunicorn markdown\n") + file.write("RUN pip install flask praisonai==0.1.3 gunicorn markdown\n") file.write("EXPOSE 8080\n") file.write('CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]\n')
praisonai/deploy.py+1 −1 modified@@ -56,7 +56,7 @@ def create_dockerfile(self): file.write("FROM python:3.11-slim\n") file.write("WORKDIR /app\n") file.write("COPY . .\n") - file.write("RUN pip install flask praisonai==0.1.2 gunicorn markdown\n") + file.write("RUN pip install flask praisonai==0.1.3 gunicorn markdown\n") file.write("EXPOSE 8080\n") file.write('CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]\n')
praisonai.rb+1 −1 modified@@ -3,7 +3,7 @@ class Praisonai < Formula desc "AI tools for various AI applications" homepage "https://github.com/MervinPraison/PraisonAI" - url "https://github.com/MervinPraison/PraisonAI/archive/refs/tags/0.1.2.tar.gz" + url "https://github.com/MervinPraison/PraisonAI/archive/refs/tags/0.1.3.tar.gz" sha256 "1828fb9227d10f991522c3f24f061943a254b667196b40b1a3e4a54a8d30ce32" # Replace with actual SHA256 checksum license "MIT"
praisonai/ui/realtime.py+20 −13 modified@@ -6,7 +6,6 @@ from openai import AsyncOpenAI import chainlit as cl -from chainlit.logger import logger from chainlit.input_widget import TextInput from chainlit.types import ThreadDict @@ -16,6 +15,25 @@ import chainlit.data as cl_data from literalai.helper import utc_now import json +import logging +import importlib.util +from importlib import import_module +from pathlib import Path + +# Set up logging +logger = logging.getLogger(__name__) +log_level = os.getenv("LOGLEVEL", "INFO").upper() +logger.handlers = [] + +# Set up logging to console +console_handler = logging.StreamHandler() +console_handler.setLevel(log_level) +console_formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') +console_handler.setFormatter(console_formatter) +logger.addHandler(console_handler) + +# Set the logging level for the logger +logger.setLevel(log_level) # Set up CHAINLIT_AUTH_SECRET CHAINLIT_AUTH_SECRET = os.getenv("CHAINLIT_AUTH_SECRET") @@ -144,19 +162,8 @@ def load_setting(key: str) -> str: client = AsyncOpenAI() -# Add these new imports and code -import importlib.util -import logging -from importlib import import_module -from pathlib import Path - -# Set up logging -logging.basicConfig(level=logging.INFO) -logger = logging.getLogger(__name__) - # Try to import tools from the root directory -root_dir = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) -tools_path = os.path.join(root_dir, 'tools.py') +tools_path = os.path.join(os.getcwd(), 'tools.py') logger.info(f"Tools path: {tools_path}") def import_tools_from_file(file_path):
pyproject.toml+1 −1 modified@@ -1,6 +1,6 @@ [tool.poetry] name = "PraisonAI" -version = "0.1.2" +version = "0.1.3" description = "PraisonAI application combines AutoGen and CrewAI or similar frameworks into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customization, and efficient human-agent collaboration." authors = ["Mervin Praison"] license = ""
8b72cec167ecMerge pull request #168 from MervinPraison/develop
6 files changed · +25 −18
Dockerfile+1 −1 modified@@ -1,6 +1,6 @@ FROM python:3.11-slim WORKDIR /app COPY . . -RUN pip install flask praisonai==0.1.2 gunicorn markdown +RUN pip install flask praisonai==0.1.3 gunicorn markdown EXPOSE 8080 CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]
docs/api/praisonai/deploy.html+1 −1 modified@@ -110,7 +110,7 @@ <h2 id="raises">Raises</h2> file.write("FROM python:3.11-slim\n") file.write("WORKDIR /app\n") file.write("COPY . .\n") - file.write("RUN pip install flask praisonai==0.1.2 gunicorn markdown\n") + file.write("RUN pip install flask praisonai==0.1.3 gunicorn markdown\n") file.write("EXPOSE 8080\n") file.write('CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]\n')
praisonai/deploy.py+1 −1 modified@@ -56,7 +56,7 @@ def create_dockerfile(self): file.write("FROM python:3.11-slim\n") file.write("WORKDIR /app\n") file.write("COPY . .\n") - file.write("RUN pip install flask praisonai==0.1.2 gunicorn markdown\n") + file.write("RUN pip install flask praisonai==0.1.3 gunicorn markdown\n") file.write("EXPOSE 8080\n") file.write('CMD ["gunicorn", "-b", "0.0.0.0:8080", "api:app"]\n')
praisonai.rb+1 −1 modified@@ -3,7 +3,7 @@ class Praisonai < Formula desc "AI tools for various AI applications" homepage "https://github.com/MervinPraison/PraisonAI" - url "https://github.com/MervinPraison/PraisonAI/archive/refs/tags/0.1.2.tar.gz" + url "https://github.com/MervinPraison/PraisonAI/archive/refs/tags/0.1.3.tar.gz" sha256 "1828fb9227d10f991522c3f24f061943a254b667196b40b1a3e4a54a8d30ce32" # Replace with actual SHA256 checksum license "MIT"
praisonai/ui/realtime.py+20 −13 modified@@ -6,7 +6,6 @@ from openai import AsyncOpenAI import chainlit as cl -from chainlit.logger import logger from chainlit.input_widget import TextInput from chainlit.types import ThreadDict @@ -16,6 +15,25 @@ import chainlit.data as cl_data from literalai.helper import utc_now import json +import logging +import importlib.util +from importlib import import_module +from pathlib import Path + +# Set up logging +logger = logging.getLogger(__name__) +log_level = os.getenv("LOGLEVEL", "INFO").upper() +logger.handlers = [] + +# Set up logging to console +console_handler = logging.StreamHandler() +console_handler.setLevel(log_level) +console_formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') +console_handler.setFormatter(console_formatter) +logger.addHandler(console_handler) + +# Set the logging level for the logger +logger.setLevel(log_level) # Set up CHAINLIT_AUTH_SECRET CHAINLIT_AUTH_SECRET = os.getenv("CHAINLIT_AUTH_SECRET") @@ -144,19 +162,8 @@ def load_setting(key: str) -> str: client = AsyncOpenAI() -# Add these new imports and code -import importlib.util -import logging -from importlib import import_module -from pathlib import Path - -# Set up logging -logging.basicConfig(level=logging.INFO) -logger = logging.getLogger(__name__) - # Try to import tools from the root directory -root_dir = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) -tools_path = os.path.join(root_dir, 'tools.py') +tools_path = os.path.join(os.getcwd(), 'tools.py') logger.info(f"Tools path: {tools_path}") def import_tools_from_file(file_path):
pyproject.toml+1 −1 modified@@ -1,6 +1,6 @@ [tool.poetry] name = "PraisonAI" -version = "0.1.2" +version = "0.1.3" description = "PraisonAI application combines AutoGen and CrewAI or similar frameworks into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customization, and efficient human-agent collaboration." authors = ["Mervin Praison"] license = ""
Vulnerability mechanics
Root cause
"The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORM_JWT_SECRET is unset, and the production guard only fires when PLATFORM_ENV is explicitly set to a non-"dev" value, so a default deployment silently uses the publicly-known secret."
Attack vector
An attacker reads the hardcoded secret `"dev-secret-change-me"` from the public GitHub repository [ref_id=1][ref_id=2]. The attacker then identifies a target deployment of `praisonai-platform` that did not explicitly set both `PLATFORM_JWT_SECRET` and `PLATFORM_ENV` to a non-`"dev"` value [ref_id=1][ref_id=2]. Using the public secret, the attacker forges a JWT with arbitrary `sub` and `email` claims (e.g., a victim's user ID) and sends it in the `Authorization` header [ref_id=1][ref_id=2]. The server's `_verify_token` decodes the forged token successfully, returning an `AuthIdentity` for the victim, giving the attacker full access to all authenticated routes as that user [ref_id=1][ref_id=2]. No prior authentication or user interaction is required [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in `src/praisonai-platform/praisonai_platform/services/auth_service.py`, lines 25-36 and 114-137 [ref_id=1][ref_id=2]. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset, and the safety check that should catch this only fires when `PLATFORM_ENV != "dev"` — but the default value of `PLATFORM_ENV` is `"dev"`, so the check is silently bypassed [ref_id=1][ref_id=2]. The `_verify_token` function at line 129 trusts the `sub`, `email`, and `name` claims from any token whose HMAC-SHA256 signature validates against the publicly-known secret [ref_id=1][ref_id=2].
What the fix does
The patch provided in the advisory (not present in the supplied `patch_id=3131085` diff, which only bumps version numbers and fixes a custom-tool import) is a suggested fix that removes the `_DEFAULT_SECRET` fallback and raises a `RuntimeError` at import time when `PLATFORM_JWT_SECRET` is unset, unless the operator explicitly sets `PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1` [ref_id=1][ref_id=2]. In dev mode, an ephemeral random secret is generated per process instead of using a hardcoded value [ref_id=1][ref_id=2]. This closes the vulnerability by ensuring that a deployment without a configured secret either fails to start or uses a secret that an attacker cannot predict from the public source code [ref_id=1][ref_id=2].
Preconditions
- configThe praisonai-platform package is deployed without explicitly setting both PLATFORM_JWT_SECRET and PLATFORM_ENV to a non-"dev" value
- networkThe attacker has network reachability to the target API
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.