Detect PraisonAI Platform JWT Hardcoded Secret Key Token Forgery in Microsoft Sentinel
Detects exploitation of CVE-2026-47410, a critical vulnerability in praisonai-platform (<= 0.1.2) where the JWT signing key defaults to the hardcoded value 'dev-secret-change-me' when PLATFORM_ENV is unset. An unauthenticated attacker can forge valid JWTs for any user, including administrators, enabling full platform compromise.
MITRE ATT&CK
KQL Detection Query
let SuspiciousEndpoints = dynamic(["/api/", "/admin/", "/auth/", "/users/"]);
let KnownForgedClaims = dynamic(["dev-secret-change-me"]);
union
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where requestUri_s has_any (SuspiciousEndpoints)
| extend AuthHeader = extract(@'Authorization:\s*Bearer\s+([A-Za-z0-9+/=._-]+)', 1, httpHeaders_s)
| where isnotempty(AuthHeader)
| extend JWTPayload = base64_decode_tostring(extract(@'^[^.]+\.([^.]+)', 1, AuthHeader))
| where JWTPayload has_any ("admin", "superuser", "root") or JWTPayload has "role"
| project TimeGenerated, clientIP_s, requestUri_s, httpMethod_s, JWTPayload, AuthHeader
),
(
AppServiceHTTPLogs
| where ScStatus in (200, 201, 204) and CsMethod in ("GET", "POST", "PUT", "DELETE", "PATCH")
| where CsUriStem has_any (SuspiciousEndpoints)
| extend AuthHeader = extract(@'Bearer\s+([A-Za-z0-9+/=._-]+)', 1, CsUriQuery)
| where isnotempty(AuthHeader)
| project TimeGenerated, CIp, CsUriStem, CsMethod, ScStatus, AuthHeader
)
| summarize RequestCount = count(), UniqueEndpoints = dcount(requestUri_s ?? CsUriStem), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ClientIP = clientIP_s ?? CIp
| where RequestCount > 5 or UniqueEndpoints > 3
| extend RiskScore = case(UniqueEndpoints > 5, "High", RequestCount > 20, "High", "Medium")
| sort by RequestCount descDetects potential JWT token forgery against praisonai-platform by monitoring for authenticated API requests from IPs exhibiting anomalous breadth or volume of access, which may indicate forged tokens granting elevated privileges.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate automation or API clients making bulk requests across multiple endpoints
- Security scanning tools performing authenticated vulnerability assessments
- Load testing tools targeting the praisonai-platform application
- Monitoring agents performing health checks across multiple API endpoints
Other platforms for CVE-2026-47410
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Forge Admin JWT Using Hardcoded Dev Secret
Expected signal: Python3 process execution with inline code containing 'dev-secret-change-me' string; no network activity generated by this step alone.
- Test 2Use Forged Admin JWT Against praisonai-platform API
Expected signal: Network connection from test host to praisonai-platform port 8000; HTTP GET request with Authorization: Bearer header visible in access logs; HTTP 200 response to admin-only /api/users/ endpoint.
- Test 3Enumerate and Escalate via Forged JWT in Headless Environment
Expected signal: Multiple sequential HTTP requests to distinct admin endpoints within seconds from same source IP; all authenticated with the same Bearer token; successful 200 responses to admin-restricted paths.
Unlock Pro Content
Get the full detection package for CVE-2026-47410 including response playbook, investigation guide, and atomic red team tests.