Network-AI
CVE-2026-48814
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable SSE endpoint, no auth required by default, no user interaction; full read/write of agent config, blackboard, and tokens gives C:H/I:H, no direct availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.
Articles & Coverage 1
AnalysisAI
Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and _isAuthorized() returns true when no secret is configured. Despite the partial fix for CVE-2026-46701 in 5.4.5 (which restricted CORS to localhost origins), any non-browser caller - curl, SSRF, or a service exposed via a 0.0.0.0 bind - can still call privileged operations like config_set, agent_spawn, blackboard_write, and token management with zero credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the target runs Network-AI ≤ 5.7.1 with `NETWORK_AI_MCP_SECRET` unset (the documented default) and the MCP SSE server reachable by the attacker - either bound to a non-loopback interface (the pre-5.7.2 code only emits a warning, not a hard error, when binding outside 127.0.0.1), or reachable via SSRF from another local service, or invoked from a non-browser HTTP client such as curl. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 base score 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) accurately captures the severity: a network-reachable, unauthenticated, no-interaction call that yields full confidentiality and integrity loss over agent state, configuration, and tokens. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a developer or CI host running Network-AI with `NETWORK_AI_MCP_SECRET` unset and the SSE server bound to a non-loopback interface (or reachable via SSRF in a co-located web app). With a single unauthenticated HTTP POST carrying a JSON-RPC frame, the attacker calls `config_set` to point the orchestrator at attacker-controlled endpoints, then `agent_spawn` to execute agent tasks and `blackboard_write` to inject crafted context, exfiltrating tokens via the token_* tools. … |
| Remediation | Vendor-released patch: 5.7.2 - upgrade with `npm install network-ai@5.7.2` (release notes: https://github.com/Jovancoding/Network-AI/releases/tag/v5.7.2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: (1) Identify all Network-AI SSE server instances running version 5.7.1 or earlier in production and development environments, (2) Implement firewall rules restricting SSE server access to authorized internal networks only, (3) Enable comprehensive audit logging of all SSE server access and function invocations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito
Share
External POC / Exploit Code
Leaving vuln.today