CVE-2026-42856: CWE-306: Missing Authentication for Critical Function in Jovancoding Network-AI
Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools. This vulnerability is fixed in 5.1.3.
AI Analysis
Technical Summary
Network-AI, a TypeScript/Node.js multi-agent orchestrator, had a missing authentication vulnerability (CWE-306) in its MCP HTTP transport prior to version 5.1.3. The transport accepted JSON-RPC tools/call requests without verifying authentication, session, origin, or tokens, and was bound by default to 0.0.0.0, exposing privileged management tools to any network party. This allowed unauthenticated remote invocation of critical functions. The issue is resolved in version 5.1.3.
Potential Impact
An attacker with network access to the vulnerable Network-AI service can enumerate and invoke privileged management tools without any authentication. This could lead to unauthorized control or disruption of the orchestrator's operations. The CVSS 4.0 score is 8.7 (high severity), reflecting the network attack vector, no required privileges or user interaction, and high impact on integrity.
Mitigation Recommendations
Upgrade Network-AI to version 5.1.3 or later, where this vulnerability is fixed. Since the vulnerability is resolved in this version, no additional mitigation steps are required beyond applying the official update.
CVE-2026-42856: CWE-306: Missing Authentication for Critical Function in Jovancoding Network-AI
Description
Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools. This vulnerability is fixed in 5.1.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Network-AI, a TypeScript/Node.js multi-agent orchestrator, had a missing authentication vulnerability (CWE-306) in its MCP HTTP transport prior to version 5.1.3. The transport accepted JSON-RPC tools/call requests without verifying authentication, session, origin, or tokens, and was bound by default to 0.0.0.0, exposing privileged management tools to any network party. This allowed unauthenticated remote invocation of critical functions. The issue is resolved in version 5.1.3.
Potential Impact
An attacker with network access to the vulnerable Network-AI service can enumerate and invoke privileged management tools without any authentication. This could lead to unauthorized control or disruption of the orchestrator's operations. The CVSS 4.0 score is 8.7 (high severity), reflecting the network attack vector, no required privileges or user interaction, and high impact on integrity.
Mitigation Recommendations
Upgrade Network-AI to version 5.1.3 or later, where this vulnerability is fixed. Since the vulnerability is resolved in this version, no additional mitigation steps are required beyond applying the official update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T16:44:48.379Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a021aa3cbff5d8610430385
Added to database: 5/11/2026, 6:06:27 PM
Last enriched: 5/11/2026, 6:22:40 PM
Last updated: 5/12/2026, 3:53:09 AM
Views: 36
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.