CVE 8.7 HIGH

Network-AI: Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls_CVE-2026-42856

May 11, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools. This vulnerability is fixed in 5.1.3.

AI Analysis

Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls

Basic Information

ID CVE-2026-42856

Source GitHub_M

Published May 11, 2026 at 17:42

Modified May 11, 2026 at 18:33

Affected Product

Vendor Jovancoding

Product Network-AI

Version < 5.1.3

Affected Versions Jovancoding Network-AI < 5.1.3

CWE Classification

CWE-306

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Jovancoding

Product Network-AI

Version < 5.1.3

References

github.com /Jovancoding/Network-AI/security/advisories/GHSA-fj4g-2p96-q6m3

{
    "lastseen": "",
    "description": "Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools. This vulnerability is fixed in 5.1.3.",
    "published": "2026-05-11T17:42:35.260Z",
    "modified": "2026-05-11T18:33:59.839Z",
    "type": "cve",
    "title": "Network-AI: Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls",
    "source": "GitHub_M",
    "references": "https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-fj4g-2p96-q6m3",
    "id": "CVE-2026-42856",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "Jovancoding Network-AI < 5.1.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Network-AI",
    "version": "< 5.1.3",
    "vendor": "Jovancoding",
    "ai_description": "Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls",
    "ai_severity": "High",
    "ai_vendor": "Jovancoding",
    "ai_product": "Network-AI",
    "ai_version": "< 5.1.3",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply