Origin Validation Error Affecting network-ai package, versions <5.4.5


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.02% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-NETWORKAI-17756610
  • published1 Jul 2026
  • disclosed21 May 2026
  • creditUnknown

Introduced: 21 May 2026

CVE-2026-46701  (opens in a new tab)
CWE-346  (opens in a new tab)

How to fix?

Upgrade network-ai to version 5.4.5 or higher.

Overview

network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu

Affected versions of this package are vulnerable to Origin Validation Error due to the default configuration setting an empty secret in the process.env['NETWORK_AI_MCP_SECRET'] environment variable, which causes the authorization check in the function to always return true. Combined with the unconditional application of the Access-Control-Allow-Origin: * header in the function, this allows unauthenticated cross-origin requests to invoke sensitive MCP tools. An attacker can modify orchestrator configuration, spawn arbitrary agents, corrupt shared agent state, or tamper with token management by luring a user to visit a malicious web page while the server is running locally.

CVSS Base Scores

version 4.0
version 3.1