Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
- Severity:
- High
Description
| Field | Value | | —————- | —– | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) |
Recommendation
Update the network-ai package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.4.4
- Patched version(s): 5.4.5
References
Related Issues
- Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls - CVE-2026-42856
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
You might also like:
- Tags:
- npm
- network-ai
Anything's wrong? Let us know Last updated on May 21, 2026