CVE-2026-35577: CWE-346: Origin Validation Error in apollographql apollo-mcp-server
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.
AI Analysis
Technical Summary
Apollo MCP Server versions before 1.7.0 fail to validate the Host header on incoming HTTP requests when using the StreamableHTTP transport mode. This lack of validation can be exploited via DNS rebinding attacks if the server is running locally without authentication or network restrictions, enabling a malicious website visited by the user to send unauthorized requests to the local MCP server. The vulnerability does not affect stdio transport and is mitigated by authentication or network-level controls. The issue is addressed in version 1.7.0.
Potential Impact
Successful exploitation could allow an attacker to invoke tools or access resources exposed by the local MCP server on behalf of the user. The impact includes potential unauthorized command execution or data access with the privileges of the local user running the server. The risk is reduced if authentication, network controls, or non-localhost bindings are in place. The CVSS v3.1 score is 6.8 (medium severity), reflecting network attack vector with high impact on confidentiality and integrity but requiring user interaction and high attack complexity.
Mitigation Recommendations
Upgrade apollo-mcp-server to version 1.7.0 or later, where the Host header validation issue is fixed. If upgrading is not immediately possible, ensure that the MCP server is not exposed without authentication or network-level access controls, and avoid running the HTTP-based MCP server on localhost in insecure environments. Since no official patch link or advisory is provided, check the vendor's official channels for the latest updates and confirm remediation status.
CVE-2026-35577: CWE-346: Origin Validation Error in apollographql apollo-mcp-server
Description
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apollo MCP Server versions before 1.7.0 fail to validate the Host header on incoming HTTP requests when using the StreamableHTTP transport mode. This lack of validation can be exploited via DNS rebinding attacks if the server is running locally without authentication or network restrictions, enabling a malicious website visited by the user to send unauthorized requests to the local MCP server. The vulnerability does not affect stdio transport and is mitigated by authentication or network-level controls. The issue is addressed in version 1.7.0.
Potential Impact
Successful exploitation could allow an attacker to invoke tools or access resources exposed by the local MCP server on behalf of the user. The impact includes potential unauthorized command execution or data access with the privileges of the local user running the server. The risk is reduced if authentication, network controls, or non-localhost bindings are in place. The CVSS v3.1 score is 6.8 (medium severity), reflecting network attack vector with high impact on confidentiality and integrity but requiring user interaction and high attack complexity.
Mitigation Recommendations
Upgrade apollo-mcp-server to version 1.7.0 or later, where the Host header validation issue is fixed. If upgrading is not immediately possible, ensure that the MCP server is not exposed without authentication or network-level access controls, and avoid running the HTTP-based MCP server on localhost in insecure environments. Since no official patch link or advisory is provided, check the vendor's official channels for the latest updates and confirm remediation status.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T20:09:02.827Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d806d21cc7ad14da15a568
Added to database: 4/9/2026, 8:06:42 PM
Last enriched: 4/17/2026, 12:01:41 PM
Last updated: 5/24/2026, 8:04:49 PM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.