Network-AI Missing Authentication Vulnerability in MCP HTTP Transport Allows Unauthenticated Privileged Tool Calls

A vulnerability exists in Network-AI versions prior to 5.1.3, where the MCP HTTP transport accepts JSON-RPC tools/call requests without any form of authentication, session, origin, or token verification. These requests are sent directly to the orchestrator's tool registry. The service is exposed on all network interfaces by default, allowing any party with network access to the service to enumerate and invoke privileged management tools. This includes capabilities such as reading and modifying the live orchestrator configuration, managing registered agents, creating or revoking security tokens, and adjusting global budget ceilings.

Impact

The lack of authentication allows full access to the orchestration management features over the network. An attacker can enumerate and invoke privileged tools, change runtime configurations, manage agents, and manipulate security tokens and budget settings. The default bind address increases the risk of unintentional exposure on any host with a routable interface.

Reproduction

The vulnerability can be reproduced by sending unauthenticated JSON-RPC tools/call requests to the MCP HTTP endpoint. This can be done using a tool like curl, targeting the default bind address of the service. Once the request is sent, the response can be used to verify the successful invocation of privileged management tools.

Remediation

Users are advised to update to Network-AI version 5.1.3 or later. Additionally, it is recommended to configure the server to bind only to the loopback interface by default, and to implement authentication checks for the MCP HTTP endpoint before processing tools/call requests.