CVE-2026-48814 - Vulnerability Details

Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00297.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/Jovancoding/Network-AI/releases/tag/v5.7.2
https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-r78r-rwrf-rjwp
https://github.com/advisories/GHSA-j3vx-cx2r-pvg8

History

Thu, 18 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.
Title		Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)
Weaknesses		CWE-306
References		https://github.com/Jovancoding/Network-AI/releases/tag/v5.7.2 https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-r78r-rwrf-rjwp https://github.com/advisories/GHSA-j3vx-cx2r-pvg8
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-17T19:42:30.415Z

Updated: 2026-06-17T19:42:30.415Z

Reserved: 2026-05-22T20:57:10.976Z

Link: CVE-2026-48814

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object