GHSA-f38v-77qj-h4jq: praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)

June 18, 2026

Affected: praisonai-platform (PyPI) <= 0.1.4 — including 0.1.4, the version GHSA-3qg8-5g3r-79v5 declares as the patch; main HEAD 8acf77c531e624c46d3d61dcae37e9942e90972c is also affected. File src/praisonai-platform/praisonai_platform/services/auth_service.py
CWE: CWE-1188 (Insecure Default Initialization) + CWE-798 (Use of Hard-coded Credentials) -> CWE-287 (Improper Authentication)

References

github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f38v-77qj-h4jq
github.com/advisories/GHSA-f38v-77qj-h4jq

Code Behaviors & Features

Detect and mitigate GHSA-f38v-77qj-h4jq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →