Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls
- Severity:
- High
Description
| Field | Value | |—|—| | Project | Jovancoding/Network-AI | | Repository | https://github.com/Jovancoding/Network-AI | | Affected commit | c344f2053eb0d49395988f803bf92f2a86b2a0d0 | | Affected tested version | 5.1.2 | | Vulnerability type | CWE-306: Missing Authentication for Critical Function | | Severity | High | | Authentication required | None | | Default network exposure | Bind address `0.0.0.
Recommendation
Update the network-ai package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.1.2
- Patched version(s): 5.1.3
References
Related Issues
- Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret - CVE-2026-46701
- @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck - CVE-2026-39397
- PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE - CVE-2026-45805
- Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
You might also like:
- Tags:
- npm
- network-ai
Anything's wrong? Let us know Last updated on May 13, 2026