{"data":{"id":"78a37bbb-8c56-4c88-a99e-c1676af56dd9","title":"GHSA-fj4g-2p96-q6m3: Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls","summary":"The Network-AI project has a critical vulnerability where its MCP HTTP endpoint (a server that handles tool requests) accepts requests without any authentication checks, and binds to 0.0.0.0 (making it accessible from any network). This allows anyone who can reach the server to call privileged tools that can read and modify the system's configuration, control agents, create security tokens, and adjust budget limits.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-fj4g-2p96-q6m3","publishedAt":"2026-05-05T17:25:37.000Z","cveId":"CVE-2026-42856","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["network-ai@<= 5.1.2 (fixed: 5.1.3)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Jovancoding/Network-AI","MCP (Model Context Protocol)"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-05T17:25:37.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}