Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-r78r-rwrf-rjwp | Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests |
Thu, 18 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 18 Jun 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Jovancoding
Jovancoding network-ai |
|
| Vendors & Products |
Jovancoding
Jovancoding network-ai |
Thu, 18 Jun 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2. | |
| Title | Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701) | |
| Weaknesses | CWE-306 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-18T19:43:01.315Z
Reserved: 2026-05-22T20:57:10.976Z
Link: CVE-2026-48814
Updated: 2026-06-18T19:42:14.003Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-18T19:30:15Z
Github GHSA