{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-46701/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Network-AI (\u003c= 5.4.4)"],"_cs_severities":["high"],"_cs_tags":["cve","cve-2026-46701","network","cross-origin","authentication bypass"],"_cs_type":"advisory","_cs_vendors":["Jovancoding"],"content_html":"\u003cp\u003eNetwork-AI v5.4.4 is vulnerable to an unauthenticated cross-origin MCP tool invocation due to an empty default secret and permissive CORS settings. The MCP SSE server defaults to an empty secret, causing the \u003ccode\u003e_isAuthorized\u003c/code\u003e function to unconditionally return \u003ccode\u003etrue\u003c/code\u003e. Simultaneously, \u003ccode\u003e_handleRequest\u003c/code\u003e sets \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e on every response, allowing cross-origin browser requests. An attacker can lure a user to a malicious web page and invoke all 22 exposed MCP tools, including \u003ccode\u003econfig_set\u003c/code\u003e, \u003ccode\u003eagent_spawn\u003c/code\u003e, and \u003ccode\u003eblackboard_write\u003c/code\u003e, against a default-configured localhost server. This vulnerability is tracked as CVE-2026-46701.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker hosts a malicious web page designed to interact with the Network-AI MCP server.\u003c/li\u003e\n\u003cli\u003eA user with a default-configured Network-AI MCP server running locally visits the malicious web page.\u003c/li\u003e\n\u003cli\u003eThe malicious web page sends an HTTP OPTIONS request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint to check CORS preflight. The server responds with \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious web page sends an HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint with a JSON-RPC payload targeting a MCP tool (e.g., \u003ccode\u003econfig_set\u003c/code\u003e). No \u003ccode\u003eAuthorization\u003c/code\u003e header is included.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s \u003ccode\u003e_isAuthorized\u003c/code\u003e function evaluates to \u003ccode\u003etrue\u003c/code\u003e because the secret is empty.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s \u003ccode\u003e_handleRequest\u003c/code\u003e function sets \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e on the response.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s \u003ccode\u003e_bridge.handleRPC\u003c/code\u003e function executes the requested MCP tool (e.g., \u003ccode\u003econfig_set\u003c/code\u003e to modify configuration).\u003c/li\u003e\n\u003cli\u003eThe malicious web page receives the response and can read the result due to the permissive CORS setting, confirming successful execution of the MCP tool.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAny web page visited by a user who has the Network-AI MCP server running locally on the default port (3001) with no configured secret can silently invoke all 22 MCP tools without credentials. This allows for arbitrary orchestrator configuration mutation (\u003ccode\u003econfig_set\u003c/code\u003e), spawning arbitrary agents (\u003ccode\u003eagent_spawn\u003c/code\u003e), corrupting shared agent state (\u003ccode\u003eblackboard_write\u003c/code\u003e / \u003ccode\u003eblackboard_delete\u003c/code\u003e), and tampering with token management (\u003ccode\u003etoken_create\u003c/code\u003e / \u003ccode\u003etoken_revoke\u003c/code\u003e). The integrity impact is high because core orchestrator state can be overwritten.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor\u0026rsquo;s suggested remediation by requiring a non-empty secret at startup (see remediation #1 in the overview) to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement the vendor\u0026rsquo;s suggested fix by restricting CORS to localhost origins only (see remediation #2 in the overview) to prevent cross-origin requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Network-AI MCP Tool Invocation Without Authorization\u0026rdquo; to identify attempts to exploit this vulnerability by monitoring POST requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint without an Authorization header.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Network-AI that addresses CVE-2026-46701.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T22:41:02Z","date_published":"2026-05-21T22:41:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-network-ai-mcp-tool-invocation/","summary":"Network-AI is vulnerable to an unauthenticated cross-origin attack due to an empty default secret and permissive CORS configuration, allowing an attacker to lure a user to a malicious web page and invoke MCP tools like config_set, agent_spawn, and blackboard_write against a default-configured localhost server.","title":"Network-AI Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret (CVE-2026-46701)","url":"https://feed.craftedsignal.io/briefs/2026-05-network-ai-mcp-tool-invocation/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-46701","version":"https://jsonfeed.org/version/1.1"}