Security Advisory: Missing Authentication for Critical Function in Jovancoding/Network-AI

| Field | Value | |---|---| | Project | Jovancoding/Network-AI | | Repository | https://github.com/Jovancoding/Network-AI | | Affected commit | c344f2053eb0d49395988f803bf92f2a86b2a0d0 | | Affected tested version | 5.1.2 | | Vulnerability type | CWE-306: Missing Authentication for Critical Function | | Severity | High | | Authentication required | None | | Default network exposure | Bind address 0.0.0.0 | | Reporter validation date | 2026-04-21 |

Summary

The MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools — including reading and mutating the live orchestrator configuration, listing registered agents, dispatching agents, creating/revoking security tokens, and adjusting global budget ceilings.

Affected Code

• bin/mcp-server.ts:75 — server binds to 0.0.0.0 by default.
• lib/mcp-transport-sse.ts:155 — handleRPC() dispatches tools/call directly to the provider's call(toolName, toolArgs).
• lib/mcp-transport-sse.ts:379 — _handlePost() parses the JSON-RPC body and calls this._bridge.handleRPC(rpc) with no auth check.
• lib/mcp-tools-control.ts:80 — config_get exposes live runtime configuration.
• lib/mcp-tools-control.ts:197 — agent_list exposes registered agents.
• lib/mcp-tools-control.ts:231 — config_set mutates runtime configuration in place: this._config[key] = parsed.

Proof of Concept

The PoC was executed against a local Docker build of the affected commit, bound to http://localhost:13001. No authentication header was sent. All inner-JSON excerpts below are decoded from the JSON-RPC result.content[0].text field for readability;...