CVE-2026-42856

Published: Mag 11, 2026 Last Modified: Mag 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,7
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools. This vulnerability is fixed in 5.1.3.

306

Missing Authentication for Critical Function

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Other
Potential Impacts:
Gain Privileges Or Assume Identity Varies By Context
Applicable Platforms
Technologies: Cloud Computing, ICS/OT
Likelihood of Exploit: High
View CWE Details
https://github.com/Jovancoding/Network-AI/security/advisori…
https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-fj4g-2p96-q6…
https://github.com/Jovancoding/Network-AI/security/advisori…
https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-fj4g-2p96-q6…