Compliance Impact

This vulnerability allows unauthenticated access to privileged management tools, enabling attackers to read and modify live orchestrator configurations, manage security tokens, and control agents without credentials.

Such unauthorized access and control over system configurations and security tokens can lead to breaches of confidentiality, integrity, and availability of sensitive data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential unauthorized data access, lack of proper access controls, and failure to protect sensitive information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-42856 is a high-severity vulnerability in the npm package "network-ai" (versions up to 5.1.2) where the MCP HTTP transport endpoint does not require any authentication, session, origin, or token checks for JSON-RPC tool calls.

Because the default bind address is 0.0.0.0, the service is exposed to any party with network access, allowing attackers to enumerate and invoke privileged management tools without credentials.

This means attackers can perform actions such as reading and modifying the live orchestrator configuration, listing or dispatching agents, creating or revoking security tokens, and adjusting global budget settings.

The root cause is missing authentication checks in the JSON-RPC tool dispatch mechanism, enabling full control over the system by unauthenticated users.

The vulnerability was fixed in version 5.1.3 by enforcing authentication, changing the default bind address to 127.0.0.1, and requiring explicit opt-in for non-loopback bindings.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any attacker with network access to the MCP HTTP endpoint to gain unauthorized control over the Network-AI orchestrator.

• Attackers can read and modify the live orchestrator configuration.
• They can list or dispatch agents managed by the orchestrator.
• They can create or revoke security tokens, potentially compromising system security.
• They can adjust global budget settings, which may affect resource allocation or system behavior.

Overall, this leads to a complete loss of control and potential compromise of the system without requiring any authentication.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the MCP HTTP endpoint of Network-AI is accessible without authentication and bound to a non-loopback address (default 0.0.0.0). You can attempt to enumerate or invoke privileged management tools via JSON-RPC calls to verify if authentication is missing.

• Use network scanning tools (e.g., nmap) to detect if port(s) used by Network-AI MCP HTTP transport are open and listening on 0.0.0.0.
• Send unauthenticated JSON-RPC requests to the MCP HTTP endpoint to test if privileged commands like `config_get`, `config_set`, or `agent_list` can be invoked without credentials.
• Example curl command to test unauthenticated access: curl -X POST http://<target-ip>:<port>/ -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","method":"config_get","params":[],"id":1}'

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Network-AI to version 5.1.3 or later where the issue is fixed.

• Enforce authentication on the MCP HTTP transport to prevent unauthenticated access to privileged tools.
• Change the bind address from the default 0.0.0.0 to 127.0.0.1 to restrict access to localhost only.
• If remote access is required, explicitly configure and secure non-loopback bindings with proper authentication.

Useful 0 Not Useful 0