CVE-2026-47410 Elastic Security · Elastic

Detect PraisonAI Platform JWT Hardcoded Secret Key Token Forgery in Elastic Security

Detects exploitation of CVE-2026-47410, a critical vulnerability in praisonai-platform (<= 0.1.2) where the JWT signing key defaults to the hardcoded value 'dev-secret-change-me' when PLATFORM_ENV is unset. An unauthenticated attacker can forge valid JWTs for any user, including administrators, enabling full platform compromise.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   http.request.method in ("POST", "PUT", "DELETE", "PATCH") and
   url.path like~ "*/api/*" and
   http.request.headers.authorization like~ "Bearer *"]
  [network where event.category == "network" and
   http.response.status_code in (200, 201, 204) and
   url.path like~ "*/admin/*" or url.path like~ "*/users/*"]
| where #sequences >= 1
critical severity medium confidence

EQL sequence detection identifying HTTP sessions where Bearer token authentication is used to access admin or user management endpoints, potentially indicating JWT forgery exploitation.

Data Sources

Elastic APMFilebeat (nginx/apache modules)Packetbeat

Required Tables

logs-*filebeat-*packetbeat-*

False Positives & Tuning

  • Legitimate administrators performing routine user management tasks via API
  • Automated provisioning systems with valid admin JWT tokens
  • CI/CD pipelines performing integration tests against staging environments with hardcoded keys
  • API explorers or Swagger UI usage by authenticated developers

Other platforms for CVE-2026-47410

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Forge Admin JWT Using Hardcoded Dev Secret

    Expected signal: Python3 process execution with inline code containing 'dev-secret-change-me' string; no network activity generated by this step alone.

  2. Test 2Use Forged Admin JWT Against praisonai-platform API

    Expected signal: Network connection from test host to praisonai-platform port 8000; HTTP GET request with Authorization: Bearer header visible in access logs; HTTP 200 response to admin-only /api/users/ endpoint.

  3. Test 3Enumerate and Escalate via Forged JWT in Headless Environment

    Expected signal: Multiple sequential HTTP requests to distinct admin endpoints within seconds from same source IP; all authenticated with the same Bearer token; successful 200 responses to admin-restricted paths.

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-47410 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1552.001Credentials In FilesT1078.003Local AccountsT1134Access Token Manipulation

Same Tactic: Initial Access

Popular Detections