UnratedPublic exploit

Unauthenticated MCP SSE Tool Invocation in Network-AI

IdentifiersCVE-2026-48814CWE-306

CVE-2026-48814 is a missing-authentication vulnerability in Network-AI, a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server defaults to an empty authorization secret, and the authorization logic (isAuthorized()) returns true when the secret is missing or empty. Although CVE-2026-46701 previously restricted CORS to localhost origins, that change only reduced browser-based abuse and did not address direct non-browser access. As a result, the SSE MCP server remained effectively unauthenticated by default, particularly when bound to a non-loopback interface. An attacker able to reach the MCP SSE endpoint can invoke all exposed MCP tools, including sensitive operations such as config_set, agent_spawn, blackboard_write, and token* functions, without credentials. The issue was fixed in version 5.7.2 by changing authorization behavior to fail closed when no secret is configured and by requiring a Bearer token that matches the configured secret.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote access to critical orchestration functions exposed through 22 MCP tools. This can enable unauthorized reading of system state, modification of orchestrator configuration, manipulation of shared blackboard variables, spawning of new agents, and use of token-related operations. The vulnerability can lead to broad compromise of the underlying multi-agent environment, with high confidentiality and integrity impact. The provided material does not indicate a primary availability impact.

Mitigation

If you can’t patch tonight, do this now.

Until patched, do not expose the MCP SSE server on non-loopback interfaces. Bind the service to localhost only (for example, 127.0.0.1), avoid 0.0.0.0 or other remotely reachable addresses, and explicitly configure a strong non-empty NETWORK_AI_MCP_SECRET. Apply network-layer restrictions to prevent remote access to the MCP endpoint and reduce SSRF reachability from adjacent services.

Remediation

Patch, then assume compromise.

Upgrade Network-AI to version 5.7.2 or later. The fix changes the MCP SSE authorization model to fail closed when no secret is configured and requires a valid Authorization header using a Bearer token that matches the configured secret. After upgrading, verify that the MCP SSE server is not operating with an empty secret and that authentication is enforced for all remote requests.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvereportsNews

Jun 19, 2026

CVE-2026-48814: CVE-2026-48814: Missing Authentication for Critical Orchestration Tools in Network-AI McpSseServer | CVEReports

A critical missing authentication vulnerability in the Network-AI McpSseServer transport layer that allows unauthenticated remote access to administrative orchestration functions when no secret is configured.

cvefeed high severityNews

Jun 17, 2026

CVE-2026-48814 - Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)

An authentication bypass vulnerability in the Network-AI MCP SSE server caused by an empty default secret, allowing unauthenticated invocation of MCP tools in versions 5.7.1 and earlier.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-48814

NVD

nvd.nist.gov/vuln/detail/CVE-2026-48814

MITRE CWE · CWE-306

cwe.mitre.org