Description
Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.
Published: 2026-06-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Network‑AI is a TypeScript/Node.js orchestrator that in versions 5.7.1 and earlier exposed its SSE MCP server to unauthenticated access because the default secret was empty. The isAuthorized() routine returned true when the secret was blank, allowing any client to invoke all 22 MCP tools, including privileged operations such as agent_spawn and token_* management. This flaw means an attacker can run arbitrary orchestration commands on the host without credentials, effectively gaining remote code‑execution capability.

Affected Systems

The vulnerability affects Jovancoding’s Network‑AI product, specifically versions 5.7.1 and earlier. The issue was addressed in release 5.7.2. No other vendor or product is listed, so only users running the affected Network‑AI versions are at risk.

Risk and Exploitability

The CVSS score of 9.1 classifies the flaw as critical. EPSS <1% indicates a low expected exploitation probability at the time of assessment, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw permits unauthenticated remote command execution, an attacker with network reach to the SSE endpoint can immediately gain full control. The attack requires only a simple HTTP request to the server’s SSE socket, so any external process such as curl, SSRF, or a remote control system can abuse it if the server is reachable.

Generated by OpenCVE AI on June 18, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Network‑AI to version 5.7.2 or newer, where the default secret is no longer empty and isAuthorized() requires a valid token.
  • If an immediate upgrade is not possible, modify the configuration to set a non‑empty secret for the SSE MCP server; this will cause isAuthorized() to reject empty or missing tokens.
  • Limit the SSE MCP server’s network exposure by binding it to localhost or restricting access with firewalls, ensuring only trusted internal hosts can reach the endpoint.

Generated by OpenCVE AI on June 18, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jovancoding
Jovancoding network-ai
Vendors & Products Jovancoding
Jovancoding network-ai

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.
Title Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Jovancoding Network-ai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T19:43:01.315Z

Reserved: 2026-05-22T20:57:10.976Z

Link: CVE-2026-48814

cve-icon Vulnrichment

Updated: 2026-06-18T19:42:14.003Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:30:15Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function