EnvironmentManager.listBackups() reads each backup's _manifest.json and trusts the manifest's path field. EnvironmentManager.pruneBackups() later passes that trusted entry.path directly to rmSync(entry.path, { recursive: true, force: true }). An attacker who can place or modify a manifest inside data/<env>/.backups/<name>/_manifest.json can cause network-ai env backup prune –env <env> –keep <n> or any code path invoking pruneBackups() to recursively delete an arbitrary path accessible to the Network-AI process user. Confirmed in Network-AI 5.12.1.
The agent sandbox gates shell commands behind an allowlist (SandboxPolicy.isCommandAllowed), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So any wildcard allow such as git *, npm * or node * also matches git status; <anything>, and a scoped command becomes arbitrary execution.
EnvironmentManager.restore(env, backupId) computes the backup path with join(envDir, '.backups', backupId) and only checks that this path exists. It does not resolve the result or verify that it remains under data/<env>/.backups. A caller can pass a traversal backup ID such as ../../../outside/source-dir to restore files from an arbitrary directory into the target environment data directory. Confirmed in Network-AI 5.12.1.
EnvironmentManager.backup() recursively collects files using _collectBackupFiles(). _collectBackupFiles() uses statSync(full), which follows symlinks. If data/<env> contains a symlink to a directory outside the environment root, backup recursion follows the symlink and copies external files into data/<env>/.backups/<backupId>/. An attacker who can place a symlink under the environment data directory can cause backup operations to disclose files outside the environment root into backup artifacts. Confirmed in Network-AI 5.12.1.
Advisory / Disclosure Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives Target: Jovancoding/Network-AI (npm network-ai), latest v5.7.1 Status: the advisory ("Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret") named three flaws. The fix (5.4.5) closed the CORS flaw (Access-Control-Allow-Origin is now set only for localhost origins), but left the empty-default-secret flaw the title is about: the SSE MCP server still defaults to an empty …
network-ai's ApprovalInbox (lib/approval-inbox.ts) is a shipped, exported, documented feature — "a web-accessible approval queue with REST API … and SSE streaming" (SECURITY.md). It is the network surface of the human-in-the-loop Approval Gate, which ApprovalGate uses to require explicit human approval for "high-risk operations (writes, shell commands, budget spend)" (SECURITY.md). The HTTP server it exposes has no authentication of any kind and sets Access-Control-Allow-Origin: * on every route, including the state-changing …
AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandbox_evil/secret.txt. An agent/user that can call AgentRuntime.readFile() or AgentRuntime.listDir() can read or list files outside the intended sandbox when the target path is in a sibling directory sharing the base path prefix. This breaks the documented sandbox …
The MCP SSE server defaults to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? '' at bin/mcp-server.ts:89), which causes _isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request — no Authorization header is required. Simultaneously, _handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP …
The MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0. As a result, any party with network reachability to the service can enumerate and invoke privileged management tools — including reading and mutating the live orchestrator configuration, listing registered agents, dispatching agents, creating/revoking security tokens, and adjusting global budget …