CVE-2026-42856

HIGH SEVERITY

Vulnerability Description

Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools. This vulnerability is fixed in 5.1.3.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 13, 2026

CWE ID

CWE-306

Source

GitHub

Vendor

npm

Product

network-ai

External References

https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-fj4g-2p96-q6m3
https://github.com/advisories/GHSA-fj4g-2p96-q6m3

CVE-2026-42856

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment