al-ice.ai

Network-AI CVE-2026-46701 — Unauthenticated Cross-Origin MCP Tool Invocation

AI CVEs by al-ice.ai Editorial

AI relevance: An MCP server package for AI agent orchestration ships with authentication effectively disabled by default and permissive CORS, so any website a developer visits can invoke all 22 tools against their local agent — including spawning new agents and writing to the shared blackboard.

  • Network-AI (network-ai on npm) is an AI agent orchestration framework that exposes 22 MCP tools over an SSE server on localhost.
  • The server reads its secret from process.env['NETWORK_AI_MCP_SECRET'] with a fallback to an empty string. If the env var is unset — the default — _isAuthorized() returns true unconditionally.
  • Every response carries Access-Control-Allow-Origin: *, meaning a malicious webpage can make cross-origin fetch calls to the localhost MCP endpoint and read results.
  • An attacker who lures a developer to their page can invoke all 22 tools without any Authorization header, including config_set, agent_spawn, and blackboard_write.
  • This is the simplest possible MCP server misconfiguration: no auth + wildcard CORS = unauthenticated cross-origin tool invocation against a local agent runtime.
  • Published as GHSA-j3vx-cx2r-pvg8 on May 21, 2026; credited to researchers 232-323 and min8282.

Why it matters

Developers routinely install npm packages that launch localhost servers during development. An unauthenticated MCP server on localhost is effectively an open door — any site in the browser can reach it, and every tool is available for abuse. The combination of empty-default auth and wildcard CORS turns a developer workstation into an externally controllable agent host.

What to do

  • If you use Network-AI, set NETWORK_AI_MCP_SECRET to a non-empty value immediately.
  • Never ship MCP servers with empty-default secrets; require explicit configuration for authentication.
  • Audit your MCP server CORS policies — Access-Control-Allow-Origin: * on a localhost endpoint defeats the purpose of local-only trust boundaries.
  • Consider binding MCP servers to loopback-only and adding Origin checks for any browser-reachable endpoint.

Sources: