CVE-2026-47410

CVE-2026-47410 — GHSA: praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset

📅 2026-05-29

🔴 Critical 🔥 No GHSA Vulnerability Vulnerability CVSS 9.8

📋 الوصف الكامل

## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != "dev"`; the default value of `PLATFORM_ENV` is `"dev"`, so the check is silently bypassed in any deployment that does not explicitly o

💻 الأنظمة المتأثرة

GHSA: praisonai-platform: JWT

⚠️ نوع التهديد

Vulnerability

🔗 CVE ID

CVE-2026-47410

📡 المصدر

GHSA

✅ الحلول والتخفيف

🔗 المصدر الأصلي ← 📘 NVD ← ⚡ CISA KEV ←