HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48814Published Modified CNA GitHub_M

CVE-2026-48814: Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)

Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in Network-AI, a TypeScript/Node.js multi-agent orchestrator, allows any remote caller to invoke the full set of MCP tools without credentials. The server's authorization check unconditionally returns true when the shared secret is empty, which is the default configuration, so no account or token is required to reach the API over the network. Successful exploitation gives an attacker full read and write access to agent configuration, blackboard state, and token stores across the orchestrator. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-48814 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built Node.js images that bundle Network-AI. Coverage extends to indirect inclusions where Network-AI is pulled in as a transitive dependency.

Available
Triage

Triage is available using the CVSS v3.1 score of 9.1 (Critical), weighted further by each customer environment's compliance policy to surface the finding to the appropriate team inbox. Per-organization routing rules ensure that container owners, not just platform-level admins, receive the alert for images they are responsible for.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. In the interim, customers can apply network-policy isolation or egress filtering through compensating controls available in the HarborGuard policy engine to reduce exposure for affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MCP SSE server over the network; any host that can send an HTTP request to the bound address (including via SSRF or a 0.0.0.0 bind) satisfies this condition.

  • AuthenticationNot required

    No credentials are needed because the default empty-secret configuration causes _isAuthorized() to return true unconditionally for all requests.

  • Victim interactionNot required

    Exploitation is fully server-side; no user action, click, or browser session is required.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the vulnerable default is active out of the box, and a standard HTTP request is sufficient to trigger the bypass.

Blast Radius

  • An attacker reads all configuration values set via config_set, including any secrets, API keys, or environment parameters stored in the orchestrator.
  • An attacker writes arbitrary data to the shared blackboard, corrupting shared agent state and poisoning inputs consumed by downstream agents.
  • An attacker spawns new agents or reconfigures existing ones via agent_spawn, taking full control of orchestration logic and task routing.
  • An attacker reads and manipulates token stores via the token_* tools, enabling session hijacking or quota exhaustion across connected services.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-48814 is flagged as Critical (CVSS 9.1) with no upstream patch currently available, so the focus is on detection and compensating controls. HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as the maintainer publishes a fixed release. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual intervention. In the interim, HarborGuard's network-policy controls can be used to isolate containers running Network-AI 5.7.1 or earlier: restricting inbound access to the MCP SSE port to known internal callers and blocking non-loopback binds removes the unauthenticated network exposure described in this CVE. Customers should also consider setting an explicit non-empty secret via the orchestrator's configuration as a short-term workaround until the upstream fix is available.

See how HarborGuard automates this
Affected packages
  • Jovancoding / Network-AI
    < 5.7.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References