Summary
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)
References
Related vulnerabilities
All Supply chain →- CRITICALGHSA-CWJ8-7GP2-GGCW
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery
- HIGHGHSA-8CCJ-P46R-JWQQ
PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication
- CRITICALGHSA-J4F3-55X4-R6Q2
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
- HIGHGHSA-4QQ2-2J2X-X62C
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
- HIGHGHSA-F59H-Q822-G45G
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
- CRITICALGHSA-365W-HQF6-VXFG
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution