Jovancoding/Network-AI

v5.7.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 11d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture

+14 more

crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 11d

McpSseServer now enforces authentication and rejects empty secrets in _isAuthorized() and listen(), eliminating unauthenticated access risks.

Why it matters: CVE‑2026‑46701 (CVSS 7.5) is fixed: McpSseServer._isAuthorized returns false for empty secrets, and listen() throws an error if secret is missing, preventing open deployments in version v5.7.2.

Summary

AI summary

Fixed missing authentication in McpSseServer allowing unauthenticated access (CVE-2026-46701).

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	McpSseServer._isAuthorized() now returns false when secret is empty, denying unauthenticated access. McpSseServer._isAuthorized() now returns false when secret is empty, denying unauthenticated access. Source: llm_adapter@2026-05-23 Confidence: low	—
Security	Medium	McpSseServer.listen() now throws an error if secret is empty, preventing accidental open deployments. McpSseServer.listen() now throws an error if secret is empty, preventing accidental open deployments. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	McpSseTransport now accepts an optional secret constructor parameter, automatically adding Authorization: Bearer header when set. McpSseTransport now accepts an optional secret constructor parameter, automatically adding Authorization: Bearer header when set. Source: llm_adapter@2026-05-23 Confidence: high	—

Full changelog

Security Fix — GHSA-r78r-rwrf-rjwp / CVE-2026-46701

Severity: High (CWE-306 / CWE-862 — Missing Authentication, incomplete fix)
Credit: @SnailSploit

What was vulnerable

\McpSseServer._isAuthorized()\ returned \ rue\ when no secret was configured, granting every unauthenticated caller full access to all 22 MCP tools (\lackboard_write, \gent_spawn, \config_set, token management, etc.). The \in/mcp-server.ts\ CLI path already exited on missing secret, but callers who instantiated \McpSseServer\ directly from \lib/\ bypassed this guard entirely.

What changed

*_isAuthorized()* — now returns \alse\ (fail closed) when \secret\ is empty. Requests are denied regardless of bind address.
*\listen()* — now rejects with a hard \Error\ if \McpSseServerOptions.secret\ is empty, preventing accidental open deployments.
*\McpSseTransport* — new optional \secret\ constructor parameter; attaches \Authorization: Bearer\ header automatically when set.

Upgrade

\\ash
npm install [email protected]
\\

All callers that instantiate \McpSseServer\ directly must pass a non-empty \secret. For stdio mode (Claude Desktop / Cursor / Glama) use --stdio\ — \McpSseServer\ is not involved.

Tests

All 3,136 tests pass. \ est-phase6.ts\ Section 7 updated to supply secrets to all authenticated endpoints.

Breaking Changes

_isAuthorized() now returns false when secret is empty, denying all requests without a valid secret.
listen() throws an Error if McpSseServerOptions.secret is empty, preventing accidental open deployments.

Security Fixes

CVE-2026-46701 (GHSA-r78r-rwrf-rjwp) — McpSseServer._isAuthorized() no longer grants access without a configured secret, fixing missing authentication vulnerability.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →