CVE-2026-48814
Received Received - Intake
Network-AI Unauthenticated MCP Tool Invocation via Empty Default Secret

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48814
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
network-ai network-ai From 5.7.2 (inc) to 5.7.3 (exc)
network-ai network-ai to 5.4.5 (inc)
network-ai network-ai to 5.7.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Network-AI, a TypeScript/Node.js multi-agent orchestrator, in versions 5.7.1 and earlier. The MCP SSE server allows unauthenticated cross-origin invocation of MCP tools because it uses an empty default secret. Although a previous fix (CVE-2026-46701) addressed a related CORS issue by restricting Access-Control-Allow-Origin to localhost, the empty secret flaw remained. The server's authorization function returns true when the secret is empty, allowing any non-browser caller (such as curl, SSRF, or a 0.0.0.0 bind) to invoke all 22 MCP tools without credentials. This means the server runs fully unauthenticated by default. The issue was fixed in version 5.7.2.

Impact Analysis

This vulnerability can have a severe impact because it allows unauthenticated attackers to invoke all MCP tools without any credentials. This could lead to unauthorized configuration changes, spawning agents, writing to blackboards, and manipulating tokens, potentially compromising the integrity and security of the system. Given the high CVSS score of 9.1, the risk of exploitation is significant and could result in unauthorized control over the orchestrator's functions.

Mitigation Strategies

To mitigate this vulnerability, upgrade Network-AI to version 5.7.2 or later, where the issue with the empty default secret and unauthenticated MCP SSE server has been fixed.

Until the upgrade can be performed, avoid exposing the MCP SSE server to non-loopback network interfaces and restrict access to trusted origins only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48814. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart