https://vulnerability.circl.lu/sightings/feed 2026-06-22T10:09:50.906922+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/04e3f658-84f0-4b1c-8f75-ed87a7143d9e/export 2026-06-22T10:09:51.313841+00:00 Joseph Lee https://cve.circl.lu/user/syspect {"uuid": "04e3f658-84f0-4b1c-8f75-ed87a7143d9e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-46701", "type": "published-proof-of-concept", "source": "https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-j3vx-cx2r-pvg8", "content": "", "creation_timestamp": "2026-05-16T15:11:55.000000Z"} 2026-05-16T15:11:55+00:00 https://vulnerability.circl.lu/sighting/231b1456-7159-4fa2-8971-f7ac97cea204/export 2026-06-22T10:09:51.313729+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "231b1456-7159-4fa2-8971-f7ac97cea204", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46701", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mojevvheah2c", "content": "CVE-2026-48814 - Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)\nCVE ID : CVE-2026-48814\n \n Published : June 17, 2026, 7:42 p.m. | 2\u00a0hours ago\n \n Description : Network-AI is a TypeScript/Node.js multi-agent orchestrator. In ve...", "creation_timestamp": "2026-06-17T22:38:26.278750Z"} 2026-06-17T22:38:26.278750+00:00 https://vulnerability.circl.lu/sighting/dd2de708-f0fa-415f-bc37-c64436c879a0/export 2026-06-22T10:09:51.310755+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "dd2de708-f0fa-415f-bc37-c64436c879a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46701", "type": "seen", "source": "https://gist.github.com/alon710/95012eaaac31573d3f20cff3cfbc3e84", "content": "# CVE-2026-48814: CVE-2026-48814: Missing Authentication for Critical Orchestration Tools in Network-AI McpSseServer\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-06-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48814\n\n## Summary\nCVE-2026-48814 is a critical vulnerability classified as Missing Authentication for Critical Function (CWE-306) in Network-AI, a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the Model Context Protocol (MCP) Server-Sent Events (SSE) server allows unauthenticated, cross-origin invocation of sensitive orchestration tools. This vulnerability stems from an incomplete fix for CVE-2026-46701, where library-level server class initializations still default to an insecure empty-secret configuration, allowing remote attackers or Server-Side Request Forgery (SSRF) agents to execute administrative tools.\n\n## TL;DR\nThe Network-AI library (versions <= 5.7.1) features an insecure default configuration in its MCP Server-Sent Events server component. If initialized without a secret, it permits unauthenticated remote callers to invoke any of its 22 critical orchestration tools, potentially leading to unauthorized data exposure, state mutation, and arbitrary agent spawning.\n\n## Technical Details\n\n- **CWE ID**: CWE-306 (Missing Authentication for Critical Function)\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.1 (Critical)\n- **EPSS Score**: 0.00297 (~0.30% probability)\n- **Impact**: High Confidentiality, High Integrity, No Availability\n- **Exploit Status**: None (No public weaponized exploit available)\n- **KEV Status**: Not listed in CISA KEV Catalog\n\n## Affected Systems\n\n- Network-AI library environments implementing custom McpSseServer integrations\n- Node.js multi-agent orchestration backends running network-ai versions <= 5.7.1\n- **network-ai**: <= 5.7.1 (Fixed in: `5.7.2`)\n\n## Mitigation\n\n- Upgrade the network-ai dependency to version 5.7.2 or later.\n- Instantiate the McpSseServer class with a non-empty, cryptographically secure secret.\n- Restrict binding configurations to loopback addresses (127.0.0.1, localhost) instead of binding to 0.0.0.0.\n- Utilize local standard input/output (McpStdioTransport) transport channels where network binding is not strictly required.\n\n**Remediation Steps:**\n1. Run 'npm install network-ai@5.7.2' to update the library to the patched version.\n2. Audit custom integration files importing 'McpSseServer' from 'network-ai' and ensure a strong secret is passed during initialization.\n3. Ensure the server initialization code does not fail open when environment variables are missing.\n\n## References\n\n- [GitHub Security Advisory Record](https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-r78r-rwrf-rjwp)\n- [GitHub Release Log v5.7.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.7.2)\n- [GitHub Advisory Database Mapping](https://github.com/advisories/GHSA-j3vx-cx2r-pvg8)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48814) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T14:11:51.000000Z"} 2026-06-19T14:11:51+00:00