js · network-aiHeads-up
network-ai ApprovalInbox Missing Authentication and Wildcard CORS
The ApprovalInbox HTTP server in network-ai <=5.
What changed
The ApprovalInbox HTTP server in network-ai <=5.11.0 has no authentication and sets Access-Control-Allow-Origin: *, allowing any website or local process to enumerate and approve/deny pending high-risk actions without credentials.
Who it affects
All users of network-ai <=5.11.0 who use the ApprovalInbox feature (opt-in, but documented as a security measure).
What to do today
Upgrade to [email protected] or later, which requires a bearer secret for mutating endpoints and removes the wildcard CORS.
The trail
Collected→
Audited→
Written→
Published