CVE-2026-47410 Sumo Logic CSE · Sumo

Detect PraisonAI Platform JWT Hardcoded Secret Key Token Forgery in Sumo Logic CSE

Detects exploitation of CVE-2026-47410, a critical vulnerability in praisonai-platform (<= 0.1.2) where the JWT signing key defaults to the hardcoded value 'dev-secret-change-me' when PLATFORM_ENV is unset. An unauthenticated attacker can forge valid JWTs for any user, including administrators, enabling full platform compromise.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/access OR _sourceCategory=application/python
| parse regex "Authorization: Bearer (?P<jwt_token>[A-Za-z0-9+/=._-]+)"
| where !isEmpty(jwt_token)
| parse field=jwt_token "*.*.*" as jwt_header, jwt_payload, jwt_sig nodrop
| where !isEmpty(jwt_payload)
| tourl jwt_payload as decoded_attempt
| if (matches(jwt_payload, "*admin*") OR matches(jwt_payload, "*superuser*") OR matches(jwt_payload, "*is_admin*"), "suspicious", "normal") as token_class
| count as request_count, values(url) as endpoints_accessed by src_ip, token_class, jwt_payload
| where token_class = "suspicious" OR request_count > 10
| sort by request_count desc
| fields src_ip, request_count, endpoints_accessed, token_class, jwt_payload
critical severity medium confidence

Sumo Logic query detecting anomalous Bearer JWT usage with privileged claims against praisonai-platform endpoints, useful for identifying active exploitation of the hardcoded signing key.

Data Sources

Web access logsPython application logs

Required Tables

_sourceCategory=web/access_sourceCategory=application/python

False Positives & Tuning

  • Legitimate admin service accounts with tokens containing admin claims performing routine operations
  • Batch processing jobs with elevated JWT claims running on schedule
  • Developer activity in non-production environments where hardcoded keys are intentionally in use
  • Security audit tools performing authenticated enumeration with valid credentials

Other platforms for CVE-2026-47410

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Forge Admin JWT Using Hardcoded Dev Secret

    Expected signal: Python3 process execution with inline code containing 'dev-secret-change-me' string; no network activity generated by this step alone.

  2. Test 2Use Forged Admin JWT Against praisonai-platform API

    Expected signal: Network connection from test host to praisonai-platform port 8000; HTTP GET request with Authorization: Bearer header visible in access logs; HTTP 200 response to admin-only /api/users/ endpoint.

  3. Test 3Enumerate and Escalate via Forged JWT in Headless Environment

    Expected signal: Multiple sequential HTTP requests to distinct admin endpoints within seconds from same source IP; all authenticated with the same Bearer token; successful 200 responses to admin-restricted paths.

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-47410 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1552.001Credentials In FilesT1078.003Local AccountsT1134Access Token Manipulation

Same Tactic: Initial Access

Popular Detections