Auth bypass in Jovancoding Network-ai

CVE-2026-42856

Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestra…

Vulnerability class: Broken Authentication

EPSS: 0.000 (5.4th percentile) — read the EPSS interpretation.

Affected products

Jovancoding Network-ai — versions < 5.1.3

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

security-advisories@github.com (x_refsource_CONFIRM)