CVE-2026-48814 is a critical-severity missing authentication for critical function vulnerability in network-ai (npm), affecting versions <= 5.7.1. It is fixed in 5.7.2.
Advisory / Disclosure Network-AI, CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives Target: Jovancoding/Network-AI (npm network-ai), latest v5.7.1 Status: the advisory ("Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret") named three flaws. The fix (5.4.5) closed the CORS flaw (Access-Control-Allow-Origin is now set only for localhost origins), but left the empty-default-secret flaw the title is about: the SSE MCP server still defaults to an empty secret, isAuthorized() still returns true when the secret is empty, and a non-loopback bind only warns. So the server still runs fully unauthenticated by default, any non-browser caller (curl, SSRF, or a 0.0.0.0 bind) can invoke all 22 MCP tools (configset, agentspawn, blackboardwrite, token) with no credentials. Class: CWE-306/CWE-862 Missing Authentication, incomplete fix. Methodology: M1 incomplete-fix audit (anchor = the 5.4.5 fix; sibling-walk on latest v5.7.1, executed). Severity: High (matches parent; the browser amplifier is removed, so exploitation now needs non-browser reach, SSRF or a non-loopback bind, which the fix only warns about). What the fix did and didn't do (verified on latest v5.7.1) | advisory flaw | latest v5.7.1 | |---|---| | wildcard CORS (ACAO: ) | FIXED, lib/mcp-transport-sse.ts sets ACAO only when origin matches ^https?://(localhost\|127\.0\.0\.1)(:\d+)?$ | | empty default secret | NOT FIXED, bin/mcp-server.ts: secret: process.env['NETWORKAIMCPSECRET'] ?? '' | | isAuthorized open on empty secret | NOT FIXED, if (!this.opts.secret) return true; | | require secret / refuse unauth bind | NOT DONE, listen() only process.stderr.write('… WARNING …') on non-loopback bind, then listens anyway | The advisory's remediation #1 ("Require a non-empty secret at startup … process.exit(1)") was not implemented. PoC (executed against the latest source, v5.7.1), poc/legend-networkai-empty-secret.ts Instantiates the real McpSseServer from the latest lib/ with a mock bridge and the default (empty) secret, then issues requests (run-log poc/run-log.txt): The no-auth request passes isAuthorized and reaches handleRPC (tool dispatched), i.e. unauthenticated tool invocation persists on the latest release; only the browser-CORS read amplifier was removed. Run: from a v5.7.1 checkout, npm i then npx ts-node --transpile-only poc/legend-networkai-empty-secret.ts. Recommended fix Implement the advisory's remediation #1: refuse to start SSE mode with an empty secret (unless --stdio), and/or change isAuthorized to fail closed (an empty configured secret should mean "deny", not "allow"). The CORS allowlist alone does not authenticate non-browser callers. Precondition / honesty With CORS now localhost-only, the drive-by browser attack is mitigated. The residual requires a non-browser path to the port: an SSRF on the host, or the operator binding to a non-loopback address (Docker/remote), which the fix only warns about. The empty secret remains the shipped default and _isAuthorized still authorizes it. Credits @Kai Aizen / @SnailSploit, https://snailsploit.com
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
CVE-2026-48814 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (5.7.2). Upgrading removes the vulnerable code path.
npm
network-ai (<= 5.7.1)network-ai → 5.7.2 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-48814 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-48814 is reachable in your applications. Get a demo
Upgrade network-ai to 5.7.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-48814 is a critical-severity missing authentication for critical function vulnerability in network-ai (npm), affecting versions <= 5.7.1. It is fixed in 5.7.2. A critical operation is accessible without requiring any authentication.
CVE-2026-48814 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
network-ai (npm) versions <= 5.7.1 is affected.
Yes. CVE-2026-48814 is fixed in 5.7.2. Upgrade to this version or later.
Whether CVE-2026-48814 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade network-ai to 5.7.2 or later.