CVE-2026-35577
Received Received - Intake
Host Header Validation Bypass in Apollo MCP Server Enables CSRF

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35577
EUVD
EUVD-2026-21061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apollographql apollo_mcp_server to 1.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35577 is a vulnerability in Apollo MCP Server versions prior to 1.7.0 where the server did not validate the HTTP Host header on incoming requests when using the StreamableHTTP transport mode.

This lack of validation allows a malicious website, visited by a user running the server locally, to exploit DNS rebinding attacks to bypass browser same-origin policy restrictions and send crafted requests to the local MCP server.

If exploited successfully, an attacker could invoke MCP tools or access resources exposed by the server within the context of the local user's session.

The vulnerability is limited to HTTP-based transport modes (StreamableHTTP) and does not affect servers using stdio transport.

The risk is reduced in deployments that use authentication, network-level access controls, or are not bound to localhost.

This issue was fixed in Apollo MCP Server version 1.7.0 by introducing Host header validation middleware that rejects requests with invalid Host headers.

Impact Analysis

If exploited, this vulnerability allows an attacker to bypass browser same-origin policy restrictions via DNS rebinding attacks.

This enables the attacker to send crafted HTTP requests to the local Apollo MCP Server running on the user's machine.

As a result, the attacker could invoke MCP tools or access sensitive resources exposed by the server with the privileges of the local user.

This could lead to unauthorized access or manipulation of data and operations that the MCP server exposes.

The practical risk is lower if the server is configured with authentication, network-level access controls, or is not bound to localhost.

Detection Guidance

This vulnerability can be detected by testing whether the Apollo MCP Server running on localhost accepts HTTP requests with invalid or unexpected Host headers when using the StreamableHTTP transport mode.

You can use HTTP client tools like curl to send requests with various Host headers to the server and observe the responses.

  • Send a request with a valid localhost Host header (e.g., 'localhost:8000') and expect a 200 OK response.
  • Send a request with an invalid Host header (e.g., 'attacker.com' or 'localhost:9999') and check if the server rejects it with a 403 Forbidden response.
  • Example curl command to test invalid Host header: curl -H "Host: attacker.com" http://localhost:8000/
  • Example curl command to test valid Host header: curl -H "Host: localhost:8000" http://localhost:8000/

If the server accepts requests with invalid Host headers, it is vulnerable. If it rejects them with a 403 Forbidden response, it has the Host header validation fix applied.

Mitigation Strategies

The primary mitigation is to upgrade the Apollo MCP Server to version 1.7.0 or later, which includes Host header validation middleware that rejects requests with invalid Host headers.

If upgrading immediately is not possible, the following steps are recommended:

  • Enable authentication on the MCP server transport layer to restrict access.
  • Restrict network binding to trusted interfaces, avoiding exposure on public or untrusted networks.
  • Use a reverse proxy in front of the MCP server to validate or rewrite the Host header before forwarding requests.

Additionally, configure allowed hosts explicitly if using reverse proxies or custom hostnames to ensure only expected Host headers are accepted.

Compliance Impact

The vulnerability in Apollo MCP Server prior to version 1.7.0 allows DNS rebinding attacks that could enable an attacker to invoke tools or access resources exposed by the server on behalf of the local user. This could lead to unauthorized access to sensitive data or operations within the context of the local user's session.

Such unauthorized access risks could potentially impact compliance with common standards and regulations like GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access. However, the practical risk is reduced in deployments that use authentication, network-level access controls, or are not bound to localhost.

Mitigations such as enabling authentication, restricting network bindings, or upgrading to version 1.7.0 with Host header validation help reduce the risk and support compliance efforts by preventing unauthorized access through this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35577. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart