What Happened
The praisonai-platform has a hardcoded JWT signing key 'dev-secret-change-me' that is used when the PLATFORM_JWT_SECRET environment variable is unset. This allows attackers to forge JWT tokens for any user, including workspace owners and admins.Who Is Affected
Deployments of praisonai-platform that do not explicitly set both PLATFORM_JWT_SECRET and PLATFORM_ENV= are affected. The default deployment pattern using pip install and uvicorn is vulnerable.Severity & Impact
The vulnerability has a CVSS score of 9.8 and is classified as sec-critical. An attacker can mint a JWT for any user_id on the deployment with the public secret, becoming that user across every authenticated route, without prior authentication.Mitigation
To fix the vulnerability, set PLATFORM_JWT_SECRET to a strong random value in production. For local development, set PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1 to auto-generate an ephemeral random secret per process.