Description
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.
Published: 2026-04-09
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The vulnerability arises from the absence of Host header validation on HTTP requests received by certain transports of Apollo MCP Server. This oversight permits a malicious site to craft requests with a forged Host header, enabling DNS rebinding attacks that circumvent same-origin policy limitations. An attacker exploiting this flaw can invoke GraphQL‑based tools or access other resources that the local MCP server exposes, effectively performing actions on behalf of the local user. The weakness aligns with CWE‑346, which focuses on lack of input validation for request headers.

Affected Systems

Apollo MCP Server deployments running the StreamableHTTP transport before version 1.7.0 and bound to localhost without additional authentication or network‑level controls are affected. Servers employing the stdio transport are not impacted, nor are those using authentication or external access restrictions.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate risk level; EPSS data is not available and the vulnerability is not listed in the KEV catalog. Exploitation requires that a user visits a malicious website while the MCP server is running locally, leveraging DNS rebinding to supply a forged Host header. With the attacker’s ability to execute tools or retrieve resources locally, the impact could be significant for confidentiality, integrity, and availability of data or processes exposed by the MCP server. Deployments that restrict network interfaces or enforce authentication significantly reduce exploitable surface area.

Generated by OpenCVE AI on April 9, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apollo MCP Server to version 1.7.0 or later
  • If upgrade is not immediately possible, restrict the MCP server to non‑localhost interfaces or enforce authentication and network‑level access controls
  • Consider disabling StreamableHTTP transport or using stdio transport to eliminate the host‑header validation issue

Generated by OpenCVE AI on April 9, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apollographql apollo Mcp Server
CPEs cpe:2.3:a:apollographql:apollo_mcp_server:*:*:*:*:*:*:*:*
Vendors & Products Apollographql apollo Mcp Server

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apollographql
Apollographql apollo-mcp-server
Vendors & Products Apollographql
Apollographql apollo-mcp-server

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.
Title Missing Host Header Validation in Apollo MCP Server for Localhost Deployments
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Apollographql Apollo-mcp-server Apollo Mcp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:38:20.875Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35577

cve-icon Vulnrichment

Updated: 2026-04-13T15:33:28.667Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:25.987

Modified: 2026-04-17T17:31:24.323

Link: CVE-2026-35577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:29Z

Weaknesses