CVE-2026-46701 is a high-severity security vulnerability in network-ai (npm), affecting versions <= 5.4.4. It is fixed in 5.4.5.
Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) | Summary The MCP SSE server defaults to an empty secret (process.env['NETWORKAIMCPSECRET'] ?? '' at bin/mcp-server.ts:89), which causes isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request, no Authorization header is required. Simultaneously, handleRequest sets Access-Control-Allow-Origin: (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools, including configset, agentspawn, and blackboardwrite, against a default-configured localhost server. Affected Code bin/mcp-server.ts:89, default secret resolves to empty string, enabling open access lib/mcp-transport-sse.ts:254, auth guard short-circuits to true when secret is falsy lib/mcp-transport-sse.ts:272, wildcard CORS header applied unconditionally before any auth check lib/mcp-transport-sse.ts:367-368, authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation Any cross-origin browser request reaches handleRPC because isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: header lets the browser expose the response to the calling script. Proof of Concept Environment Network-AI v5.4.4 (latest) Docker container bound to 127.0.0.1:3001 Python 3 + requests poc.py Output Verified conditions OPTIONS /mcp → 204, Access-Control-Allow-Origin:, browser preflight accepted by server POST /mcp (no Authorization header) → 200, isError: false, configset executed without credentials Response Access-Control-Allow-Origin:, response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page Impact Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (configset); the same vector applies to agentspawn (spawning arbitrary agents), blackboardwrite / blackboarddelete (corrupting shared agent state), and tokencreate / tokenrevoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration). Remediation Require a non-empty secret at startup: in bin/mcp-server.ts, reject launch when args.secret is empty and --stdio is not set: typescript if (!args.secret && !args.stdio) { console.error('ERROR: --secret <token> or NETWORKAIMCPSECRET must be set for SSE mode.'); process.exit(1); } Restrict CORS to localhost origins only: in lib/mcp-transport-sse.ts:handleRequest, replace the wildcard with an allowlist: typescript const origin = req.headers['origin'] ?? ''; const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin); res.setHeader('Access-Control-Allow-Origin', allowed ? origin : ''); res.setHeader('Vary', 'Origin'); Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (/sse) if cross-origin streaming is needed and not on /mcp.
CVE-2026-46701 has a CVSS score of 7.6 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (5.4.5). Upgrading removes the vulnerable code path.
npm
network-ai (<= 5.4.4)network-ai → 5.4.5 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-46701 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-46701 is reachable in your applications. Get a demo
Upgrade network-ai to 5.4.5 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46701 is a high-severity security vulnerability in network-ai (npm), affecting versions <= 5.4.4. It is fixed in 5.4.5.
CVE-2026-46701 has a CVSS score of 7.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
network-ai (npm) versions <= 5.4.4 is affected.
Yes. CVE-2026-46701 is fixed in 5.4.5. Upgrade to this version or later.
Whether CVE-2026-46701 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade network-ai to 5.4.5 or later.