CVE-2026-42856 is a high-severity missing authentication for critical function vulnerability in network-ai (npm), affecting versions <= 5.1.2. It is fixed in 5.1.3.
Security Advisory: Missing Authentication for Critical Function in Jovancoding/Network-AI | Field | Value | |---|---| | Project | Jovancoding/Network-AI | | Repository | https://github.com/Jovancoding/Network-AI | | Affected commit | c344f2053eb0d49395988f803bf92f2a86b2a0d0 | | Affected tested version | 5.1.2 | | Vulnerability type | CWE-306: Missing Authentication for Critical Function | | Severity | High | | Authentication required | None | | Default network exposure | Bind address 0.0.0.0 | | Reporter validation date | 2026-04-21 | Summary The MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools, including reading and mutating the live orchestrator configuration, listing registered agents, dispatching agents, creating/revoking security tokens, and adjusting global budget ceilings. Affected Code bin/mcp-server.ts:75, server binds to 0.0.0.0 by default. lib/mcp-transport-sse.ts:155, handleRPC() dispatches tools/call directly to the provider's call(toolName, toolArgs). lib/mcp-transport-sse.ts:379, handlePost() parses the JSON-RPC body and calls this.bridge.handleRPC(rpc) with no auth check. lib/mcp-tools-control.ts:80, configget exposes live runtime configuration. lib/mcp-tools-control.ts:197, agentlist exposes registered agents. lib/mcp-tools-control.ts:231, configset mutates runtime configuration in place: this.config[key] = parsed. Proof of Concept The PoC was executed against a local Docker build of the affected commit, bound to http://localhost:13001. No authentication header was sent. All inner-JSON excerpts below are decoded from the JSON-RPC result.content[0].text field for readability; the raw wire transcripts (which contain the literal escaped JSON-RPC envelope) are in evidence/. Step 1, list exposed tools (unauthenticated) HTTP/1.1 200 OK, body returned 22 tools. Privileged tools observed in the inventory include: configget, configset, read and mutate live orchestrator configuration agentlist, agentspawn, agentstop, enumerate, dispatch, and stop agents tokencreate, tokenrevoke, mint and revoke security tokens budgetsetceiling, adjust the global token budget ceiling fsmtransition, drive finite-state-machine transitions blackboardwrite, blackboarddelete, mutate the shared blackboard Full transcript: evidence/01gettools.txt. Step 2, read live configuration (unauthenticated) HTTP/1.1 200 OK, decoded inner JSON: Full transcript: evidence/02configgetbefore.txt. Step 3, mutate live configuration (unauthenticated) HTTP/1.1 200 OK, decoded inner JSON: Full transcript: evidence/03configset.txt. Step 4, confirm mutation persisted (unauthenticated) HTTP/1.1 200 OK, decoded inner JSON (relevant key only): This proves the runtime change applied by step 3 is observable on the next read. Full transcript: evidence/04configgetafter.txt. Step 5, enumerate registered agents (unauthenticated) HTTP/1.1 200 OK, decoded inner JSON: This is a privileged management read; the empty array reflects the test environment, not a control. Full transcript: evidence/05agentlist.txt. Cleanup, runtime state restored After the PoC, defaultTimeout was restored to 30000 via the same unauthenticated configset (previous":12345,"current":30000,"applied":true). All testing was performed against a local Docker container only. Impact Unauthenticated network access enables full enumeration and invocation of the orchestrator's management functionality. An attacker can change runtime configuration (e.g., defaultTimeout, enableTracing), dispatch or stop agents, mutate the shared blackboard, mint or revoke security tokens, and adjust global budget ceilings. The default 0.0.0.0 bind, combined with the absence of any auth gate, increases the likelihood of accidental exposure on any host with a routable interface. Suggested Remediation Enforce authentication inside handlePost() before reaching handleRPC(). At a minimum, require a shared secret / bearer token loaded from configuration; reject any request that does not present it. Default the bind address to 127.0.0.1. Require an explicit configuration opt-in to bind to non-loopback interfaces, and warn on startup when binding outside loopback without an authentication mechanism configured. For tool-level defense in depth, gate state-mutating tools (configset, agentspawn, agentstop, tokencreate, tokenrevoke, budgetsetceiling, fsmtransition, blackboardwrite, blackboarddelete) behind an explicit authorization check tied to a verified caller identity. Verification Environment Local Docker container only; no third-party deployment was tested. Local build required a minimal Dockerfile fix; the application code path under test was not modified. Runtime state (defaultTimeout) was restored to default after the PoC. Attached Evidence Files in evidence/ are raw curl -i transcripts captured during the verification sequence above. They are provided as supplementary backup; the key excerpts are already inlined in this report. | File | Purpose | |---|---| |01gettools.txt | Step 1, full GET /tools request and 22-tool inventory response | |02configgetbefore.txt | Step 2, full configget request and live configuration response | |03configset.txt | Step 3, full configset request mutating defaultTimeout | |04configgetafter.txt| Step 4, full configget request showing the mutation persisted | | 05agentlist.txt | Step 5, full agentlist request and response |
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
npm
network-ai (<= 5.1.2)network-ai → 5.1.3 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-42856 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-42856 is reachable in your applications. Get a demo
Upgrade network-ai to 5.1.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-42856 is a high-severity missing authentication for critical function vulnerability in network-ai (npm), affecting versions <= 5.1.2. It is fixed in 5.1.3. A critical operation is accessible without requiring any authentication.
network-ai (npm) versions <= 5.1.2 is affected.
Yes. CVE-2026-42856 is fixed in 5.1.3. Upgrade to this version or later.
Whether CVE-2026-42856 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade network-ai to 5.1.3 or later.