Authentication Bypass in Network-AI Multi-Agent Orchestrator by Jovancoding
CVE-2026-42856

8.7HIGH

Key Information:

Vendor: Jovancoding
Status: Network-ai
Vendor: CVE Published:; 11 May 2026

🔔 Create Jovancoding Vulnerability Alert

What is CVE-2026-42856?

The Network-AI multi-agent orchestrator developed by Jovancoding exhibits a flaw that allows unauthorized parties to exploit its MCP HTTP transport. Prior to version 5.1.3, the system accepted JSON-RPC requests without any form of authentication or validation, effectively exposing privileged management tools. The default bind address of 0.0.0.0 further exacerbates the risk, permitting any user with network reachability to enumerate and invoke sensitive commands, thereby compromising the security of the orchestrator.

Affected Version(s)

Network-AI < 5.1.3

References

https://github.com/Jovancoding/Network-AI/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42856 Data

JSON