CVE-2026-48814: Network AI Empty Default Secret Authorizes

Q: What is CVE-2026-48814?

CVE-2026-48814 is an authentication bypass (CWE-287, with insecure default initialization CWE-1188) in Network AI. The product ships with an empty default secret, and the authorization check treats that empty value as a valid secret. When an operator has not configured a secret, the comparison succeeds for every caller, so all requests are authorized. Tracked as GHSA-r78r-rwrf-rjwp.

Q: Am I affected by CVE-2026-48814?

You are affected if you run Network AI without explicitly setting an authentication secret, leaving it at the empty default. Any deployment that relies on the built-in authorization while the secret is unset accepts unauthenticated requests. Consult GHSA-r78r-rwrf-rjwp for the exact affected and fixed versions.

Q: How do I fix CVE-2026-48814?

Upgrade to the fixed release identified in GHSA-r78r-rwrf-rjwp, which rejects an empty or unset secret rather than treating it as valid (fail closed). Immediately, set a strong, non-empty secret on every deployment and rotate it. Audit logs for requests that may have been authorized while the secret was empty.

Q: What is the impact of CVE-2026-48814?

Complete authentication bypass when the secret is unset. Any client can issue authorized requests to the protected surface without credentials, with whatever access the authorized role grants. This is a high-impact failure because the insecure state is the default state.

Summary

CVE-2026-48814 is an authentication bypass (CWE-287) rooted in an insecure default (CWE-1188) in Network AI. The product ships with an empty default secret, and the authorization routine treats that empty value as a legitimate secret. When an operator has not set one, the credential check succeeds for everyone — every request is authorized.

Technical Detail

The authorization gate compares a caller-supplied value against the configured secret. The configured secret defaults to an empty string, and the comparison does not special-case "unset":

With no secret configured, the expected value is empty, and a caller presenting an empty (or matching) value passes.
The code fails open instead of closed: the absence of a configured credential is interpreted as "no check required" rather than "deny."

The dangerous property is that the vulnerable state is the default state. A fresh deployment is exposed until and unless the operator notices and sets a secret — the system does not force that step.

Impact

Full authentication bypass on any deployment left at the default. An unauthenticated attacker can issue authorized requests against the protected surface and exercise whatever the authorized role permits. Because no misconfiguration is required — only the absence of configuration — exposure across real-world installs is likely broad.

Resolution

Upgrade to the fixed release named in the advisory, which fails closed: an empty or unset secret is rejected rather than accepted. Operationally:

Set a strong, non-empty secret on every deployment and rotate it.
Treat "no secret configured" as a hard startup error, not a warning.
Review access logs for requests that may have been authorized during the empty-secret window.

References

Vendor Advisory (GHSA)↗ MITRE↗ NVD↗

Disclosure

Reported by Kai Aizen (SnailSploit). Coordinated with the Network AI maintainers via GitHub Security Advisory GHSA-r78r-rwrf-rjwp. See the advisory for affected and fixed version details.

Frequently asked

CVE-2026-48814 — questions & answers

What is CVE-2026-48814?

An authentication bypass (CWE-287, insecure default CWE-1188) in Network AI. The product ships with an empty default secret, and the authorization check treats the empty value as valid, so every request is authorized when no secret is set. Tracked as GHSA-r78r-rwrf-rjwp.

Am I affected by CVE-2026-48814?

You are affected if you run Network AI without explicitly configuring an authentication secret, leaving it at the empty default. See GHSA-r78r-rwrf-rjwp for the affected and fixed version range.

How do I fix CVE-2026-48814?

Upgrade to the fixed release, which fails closed by rejecting an empty or unset secret. Immediately set a strong non-empty secret on every deployment, treat an unset secret as a hard startup error, and review logs for requests authorized during the empty-secret window.

What is the impact of CVE-2026-48814?

Full authentication bypass on any deployment left at the default. An unauthenticated attacker can issue authorized requests with whatever the authorized role permits. The insecure state is the default state, so exposure is likely broad.

Where can I find authoritative references?

The GitHub Security Advisory GHSA-r78r-rwrf-rjwp, the MITRE CVE record for CVE-2026-48814, and the NVD detail page once published.