CVE-2026-35577
Host Header Validation Bypass in Apollo MCP Server Enables CSRF
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apollographql | apollo_mcp_server | to 1.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35577 is a vulnerability in Apollo MCP Server versions prior to 1.7.0 where the server did not validate the HTTP Host header on incoming requests when using the StreamableHTTP transport mode.
This lack of validation allows a malicious website, visited by a user running the server locally, to exploit DNS rebinding attacks to bypass browser same-origin policy restrictions and send crafted requests to the local MCP server.
If exploited successfully, an attacker could invoke MCP tools or access resources exposed by the server within the context of the local user's session.
The vulnerability is limited to HTTP-based transport modes (StreamableHTTP) and does not affect servers using stdio transport.
The risk is reduced in deployments that use authentication, network-level access controls, or are not bound to localhost.
This issue was fixed in Apollo MCP Server version 1.7.0 by introducing Host header validation middleware that rejects requests with invalid Host headers.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to bypass browser same-origin policy restrictions via DNS rebinding attacks.
This enables the attacker to send crafted HTTP requests to the local Apollo MCP Server running on the user's machine.
As a result, the attacker could invoke MCP tools or access sensitive resources exposed by the server with the privileges of the local user.
This could lead to unauthorized access or manipulation of data and operations that the MCP server exposes.
The practical risk is lower if the server is configured with authentication, network-level access controls, or is not bound to localhost.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the Apollo MCP Server running on localhost accepts HTTP requests with invalid or unexpected Host headers when using the StreamableHTTP transport mode.
You can use HTTP client tools like curl to send requests with various Host headers to the server and observe the responses.
- Send a request with a valid localhost Host header (e.g., 'localhost:8000') and expect a 200 OK response.
- Send a request with an invalid Host header (e.g., 'attacker.com' or 'localhost:9999') and check if the server rejects it with a 403 Forbidden response.
- Example curl command to test invalid Host header: curl -H "Host: attacker.com" http://localhost:8000/
- Example curl command to test valid Host header: curl -H "Host: localhost:8000" http://localhost:8000/
If the server accepts requests with invalid Host headers, it is vulnerable. If it rejects them with a 403 Forbidden response, it has the Host header validation fix applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apollo MCP Server prior to version 1.7.0 allows DNS rebinding attacks that could enable an attacker to invoke tools or access resources exposed by the server on behalf of the local user. This could lead to unauthorized access to sensitive data or operations within the context of the local user's session.
Such unauthorized access risks could potentially impact compliance with common standards and regulations like GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access. However, the practical risk is reduced in deployments that use authentication, network-level access controls, or are not bound to localhost.
Mitigations such as enabling authentication, restricting network bindings, or upgrading to version 1.7.0 with Host header validation help reduce the risk and support compliance efforts by preventing unauthorized access through this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Apollo MCP Server to version 1.7.0 or later, which includes Host header validation middleware that rejects requests with invalid Host headers.
If upgrading immediately is not possible, the following steps are recommended:
- Enable authentication on the MCP server transport layer to restrict access.
- Restrict network binding to trusted interfaces, avoiding exposure on public or untrusted networks.
- Use a reverse proxy in front of the MCP server to validate or rewrite the Host header before forwarding requests.
Additionally, configure allowed hosts explicitly if using reverse proxies or custom hostnames to ensure only expected Host headers are accepted.