# [CRIT] [GHSA / CRITICAL] CVE-2026-48814: Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests

**Source:** GitHub Security Advisories
**Published:** 2026-06-19
**Article:** https://github.com/advisories/GHSA-r78r-rwrf-rjwp

## Threat Profile

Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests

## Advisory / Disclosure

# Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives

**Target:** Jovancoding/Network-AI (npm `network-ai`), **latest v5.7.1**
**Status:** the advisory ("Unauthenticated Cross-Origin MCP Tool Invocation via Empty
Default Secret") named three flaws. The fix (5.4.5) closed the **CORS** flaw
(`Access-Control-Allow-Origin` is now set on…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-48814`
- **CVE:** `CVE-2026-46701`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1195.001** — Compromise Software Dependencies and Development Tools
- **T1059** — Command and Scripting Interpreter
- **T1133** — External Remote Services

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### Vulnerable network-ai (<=5.7.1) npm package present in node_modules

`UC_22_1` · phase: **delivery** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\node_modules\\network-ai\\*" by Filesystem.dest Filesystem.file_path Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - firstTime
```

**Defender KQL:**
```kql
DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath has @"node_modules\network-ai"
| where FolderPath !has @"_cacache" and FolderPath !has @"\.npm\" and FolderPath !has @"\pnpm-store\"
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), FilesWritten=dcount(FileName), SamplePath=any(FolderPath), SawPackageJson=maxif(1, FileName =~ "package.json") by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName
| order by FirstSeen desc
```

### network-ai MCP SSE server launched in non-stdio (vulnerable) mode

`UC_22_2` · phase: **install** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*network-ai*" Processes.process="*mcp-server*" Processes.process!="*--stdio*" by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - firstTime
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has "network-ai" and ProcessCommandLine has "mcp-server"
| where ProcessCommandLine !has "--stdio"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName, SHA256
| order by Timestamp desc
```

### Unauthenticated non-loopback POST /mcp tool invocation against network-ai SSE server

`UC_22_3` · phase: **exploit** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method=POST (Web.url="*/mcp" OR Web.url="*/mcp/*" OR Web.url="*/mcp?*") Web.status=200 Web.src!="127.0.0.1" Web.src!="::1" by Web.src Web.dest Web.dest_port Web.url Web.http_method Web.status Web.http_user_agent | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - firstTime
```

**Defender KQL:**
```kql
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessCommandLine has "network-ai" and InitiatingProcessCommandLine has "mcp-server"
| where InitiatingProcessCommandLine !has "--stdio"
| where ActionType == "InboundConnectionAccepted"
| where RemoteIPType != "Loopback" and RemoteIP !in ("127.0.0.1", "::1")
| summarize Connections=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Ports=make_set(LocalPort, 10) by DeviceName, RemoteIP, RemoteIPType, InitiatingProcessFileName, InitiatingProcessAccountName
| order by FirstSeen desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-48814`, `CVE-2026-46701`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.