network-ai
npm4 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting network-aipage 1 of 1
- CVE-2026-42856HIGHCVSS 8.7EG 8.7✓ Fixed in 5.1.32026-05-11
Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestra…
- CVE-2026-46701HIGHCVSS 7.6EG 7.6✓ Fixed in 5.4.52026-05-21
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret # Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository …
- CVE-2026-48814CRITICALCVSS 9.1EG 9.1✓ Fixed in 5.7.22026-06-17
Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CV…
- CVE-2026-54051CRITICALCVSS 9.9EG 9.9✓ Fixed in 5.9.12026-06-19
Network-AI: Improper Neutralization of Special Elements used in an OS Command ## Summary The agent sandbox gates shell commands behind an allowlist (`SandboxPolicy.isCommandAllowed`), which THREAT_MODEL.md calls the main control against…
Check whether network-ai is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for network-ai CVEs against the assets you own.
Start Free Scan →