CVE-2026-47410 CrowdStrike LogScale · LogScale

Detect PraisonAI Platform JWT Hardcoded Secret Key Token Forgery in CrowdStrike LogScale

Detects exploitation of CVE-2026-47410, a critical vulnerability in praisonai-platform (<= 0.1.2) where the JWT signing key defaults to the hardcoded value 'dev-secret-change-me' when PLATFORM_ENV is unset. An unauthenticated attacker can forge valid JWTs for any user, including administrators, enabling full platform compromise.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| ProcessImageFileName=/python|uvicorn|gunicorn|hypercorn/i
| CommandLine=/praisonai|platform/i
| join type=inner (
    #event_simpleName=NetworkConnectIP4
    | RemotePort in (8000, 8080, 8443, 5000, 3000)
  ) [aid, timestamp]
| stats count() as connection_count, values(RemoteIP) as remote_ips, values(RemotePort) as ports by aid, CommandLine, ProcessImageFileName
| where connection_count > 10
| eval risk = if(connection_count > 50, "critical", if(connection_count > 20, "high", "medium"))
| fields aid, CommandLine, ProcessImageFileName, connection_count, remote_ips, ports, risk
| sort - connection_count
critical severity low confidence

CrowdStrike Falcon CQL query identifying praisonai-platform Python processes with anomalous inbound network connection volumes, which may indicate active exploitation via forged JWT tokens enabling mass API abuse.

Data Sources

CrowdStrike Falcon sensor process telemetryCrowdStrike network events

Required Tables

ProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • High-traffic production praisonai-platform deployments with legitimate load
  • Load balancer health checks generating many short-lived connections
  • Development environments running integration test suites
  • Legitimate batch processing workloads making many API calls

Other platforms for CVE-2026-47410

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Forge Admin JWT Using Hardcoded Dev Secret

    Expected signal: Python3 process execution with inline code containing 'dev-secret-change-me' string; no network activity generated by this step alone.

  2. Test 2Use Forged Admin JWT Against praisonai-platform API

    Expected signal: Network connection from test host to praisonai-platform port 8000; HTTP GET request with Authorization: Bearer header visible in access logs; HTTP 200 response to admin-only /api/users/ endpoint.

  3. Test 3Enumerate and Escalate via Forged JWT in Headless Environment

    Expected signal: Multiple sequential HTTP requests to distinct admin endpoints within seconds from same source IP; all authenticated with the same Bearer token; successful 200 responses to admin-restricted paths.

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-47410 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1552.001Credentials In FilesT1078.003Local AccountsT1134Access Token Manipulation

Same Tactic: Initial Access

Popular Detections