CVE-2026-47410 IBM QRadar · QRadar

Detect PraisonAI Platform JWT Hardcoded Secret Key Token Forgery in IBM QRadar

Detects exploitation of CVE-2026-47410, a critical vulnerability in praisonai-platform (<= 0.1.2) where the JWT signing key defaults to the hardcoded value 'dev-secret-change-me' when PLATFORM_ENV is unset. An unauthenticated attacker can forge valid JWTs for any user, including administrators, enabling full platform compromise.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip AS source_ip,
  "URL" AS request_url,
  "HTTP Method" AS http_method,
  "HTTP Response Code" AS response_code,
  "HTTP User Agent" AS user_agent,
  REGEXP_EXTRACT("HTTP Authorization", 'Bearer\s+([A-Za-z0-9+/=._-]+)', 1) AS jwt_token,
  COUNT(*) AS request_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'nginx', 'IBM Security Access Manager', 'Application Events')
  AND "HTTP Authorization" IMATCHES 'Bearer\s+[A-Za-z0-9+/=._-]+'
  AND ("URL" IMATCHES '.*/api/.*' OR "URL" IMATCHES '.*/admin/.*' OR "URL" IMATCHES '.*/auth/.*')
  AND DATEFORMAT(starttime, 'yyyy-MM-dd') = DATEFORMAT(NOW(), 'yyyy-MM-dd')
GROUP BY sourceip, "HTTP Authorization"
HAVING COUNT(*) > 5 OR "URL" IMATCHES '.*/admin/.*'
ORDER BY request_count DESC
LAST 24 HOURS
critical severity medium confidence

QRadar AQL query to surface Bearer-authenticated requests to praisonai-platform admin and API endpoints, grouped by source IP and token, to identify forged JWT usage patterns.

Data Sources

Apache HTTP Server log sourcenginx log sourceApplication event log source

Required Tables

events

False Positives & Tuning

  • High-volume legitimate API integrations from partner systems
  • Security scanners running authenticated scans of the application
  • Monitoring or observability agents polling admin health endpoints with service account tokens
  • Developers testing admin API endpoints during normal business hours

Other platforms for CVE-2026-47410

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Forge Admin JWT Using Hardcoded Dev Secret

    Expected signal: Python3 process execution with inline code containing 'dev-secret-change-me' string; no network activity generated by this step alone.

  2. Test 2Use Forged Admin JWT Against praisonai-platform API

    Expected signal: Network connection from test host to praisonai-platform port 8000; HTTP GET request with Authorization: Bearer header visible in access logs; HTTP 200 response to admin-only /api/users/ endpoint.

  3. Test 3Enumerate and Escalate via Forged JWT in Headless Environment

    Expected signal: Multiple sequential HTTP requests to distinct admin endpoints within seconds from same source IP; all authenticated with the same Bearer token; successful 200 responses to admin-restricted paths.

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-47410 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1552.001Credentials In FilesT1078.003Local AccountsT1134Access Token Manipulation

Same Tactic: Initial Access

Popular Detections