Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)
Description
Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=5.7.1
Patches
Vulnerability mechanics
Root cause
"The MCP SSE server defaults to an empty secret and _isAuthorized() returns true when the secret is empty, allowing unauthenticated tool invocation."
Attack vector
An attacker who can reach the MCP SSE server port (e.g. via an SSRF on the host, a non-loopback bind in Docker/remote deployments, or a direct curl request) can invoke all 22 MCP tools — including `config_set`, `agent_spawn`, `blackboard_write`, and `token_*` — without any credentials [ref_id=2]. The server defaults to an empty secret, so `_isAuthorized()` unconditionally returns `true` and no `Authorization` header is required [ref_id=1]. The CORS wildcard was fixed in 5.4.5 to only allow localhost origins, eliminating the browser drive-by vector, but non-browser callers remain fully unauthenticated [ref_id=2].
Affected code
The flaw resides in `bin/mcp-server.ts` (line 89) where the secret defaults to an empty string (`process.env['NETWORK_AI_MCP_SECRET'] ?? ''`), and in `lib/mcp-transport-sse.ts` (line 254) where `_isAuthorized()` returns `true` when the secret is falsy. The `listen()` method only prints a warning on non-loopback binds instead of refusing to start [ref_id=2].
What the fix does
The fix in v5.7.2 makes two changes: `_isAuthorized()` now returns `false` (fail closed) when the secret is empty, and `listen()` rejects with a hard `Error` if `McpSseServerOptions.secret` is empty, preventing accidental open deployments [ref_id=3]. This ensures that an empty secret is treated as "deny all" rather than "allow all", closing the authentication bypass that survived the earlier CORS-only fix.
Preconditions
- configThe MCP SSE server must be running with the default empty secret (no NETWORK_AI_MCP_SECRET set).
- networkThe attacker must have network reachability to the server port — via SSRF, a non-loopback bind (e.g. Docker/remote), or direct HTTP access.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Jovancoding/Network-AI/releases/tag/v5.7.2mitrex_refsource_MISC
- github.com/Jovancoding/Network-AI/security/advisories/GHSA-r78r-rwrf-rjwpmitrex_refsource_CONFIRM
- github.com/advisories/GHSA-j3vx-cx2r-pvg8mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.