{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35577", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-09T19:40:25.604Z", "dateUpdated": "2026-04-13T15:38:20.875Z"}, "containers": {"cna": {"title": "Missing Host Header Validation in Apollo MCP Server for Localhost Deployments", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/apollographql/apollo-mcp-server/security/advisories/GHSA-wqrj-vp8w-f8vh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apollographql/apollo-mcp-server/security/advisories/GHSA-wqrj-vp8w-f8vh"}, {"name": "https://github.com/apollographql/apollo-mcp-server/pull/602", "tags": ["x_refsource_MISC"], "url": "https://github.com/apollographql/apollo-mcp-server/pull/602"}, {"name": "https://github.com/apollographql/apollo-mcp-server/pull/635", "tags": ["x_refsource_MISC"], "url": "https://github.com/apollographql/apollo-mcp-server/pull/635"}], "affected": [{"vendor": "apollographql", "product": "apollo-mcp-server", "versions": [{"version": "< 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:40:25.604Z"}, "descriptions": [{"lang": "en", "value": "Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website\u2014visited by a user running the server locally\u2014to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0."}], "source": {"advisory": "GHSA-wqrj-vp8w-f8vh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:05:51.571445Z", "id": "CVE-2026-35577", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:38:20.875Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35577", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T15:05:51.571445Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:33:28.667Z"}}], "cna": {"title": "Missing Host Header Validation in Apollo MCP Server for Localhost Deployments", "source": {"advisory": "GHSA-wqrj-vp8w-f8vh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "apollographql", "product": "apollo-mcp-server", "versions": [{"status": "affected", "version": "< 1.7.0"}]}], "references": [{"url": "https://github.com/apollographql/apollo-mcp-server/security/advisories/GHSA-wqrj-vp8w-f8vh", "name": "https://github.com/apollographql/apollo-mcp-server/security/advisories/GHSA-wqrj-vp8w-f8vh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/apollographql/apollo-mcp-server/pull/602", "name": "https://github.com/apollographql/apollo-mcp-server/pull/602", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/apollographql/apollo-mcp-server/pull/635", "name": "https://github.com/apollographql/apollo-mcp-server/pull/635", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website\u2014visited by a user running the server locally\u2014to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:40:25.604Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35577", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:38:20.875Z", "dateReserved": "2026-04-03T20:09:02.827Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T19:40:25.604Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apollographql:apollo_mcp_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F975CB2-D811-487F-BBC4-D66D069AACBD", "versionEndExcluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website\u2014visited by a user running the server locally\u2014to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0."}], "id": "CVE-2026-35577", "lastModified": "2026-04-17T17:31:24.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T20:16:25.987", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/apollographql/apollo-mcp-server/pull/602"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/apollographql/apollo-mcp-server/pull/635"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/apollographql/apollo-mcp-server/security/advisories/GHSA-wqrj-vp8w-f8vh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "apollo-mcp-server", "vendor": "apollographql"}], "analysis": {"en": {"generated_at": "2026-04-09T21:22:23.933900+00:00", "value": {"mitigation_remediation": ["Upgrade Apollo MCP Server to version 1.7.0 or later", "If upgrade is not immediately possible, restrict the MCP server to non\u2011localhost interfaces or enforce authentication and network\u2011level access controls", "Consider disabling StreamableHTTP transport or using stdio transport to eliminate the host\u2011header validation issue"], "summary": {"action": "Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Apollo MCP Server deployments running the StreamableHTTP transport before version 1.7.0 and bound to localhost without additional authentication or network\u2011level controls are affected. Servers employing the stdio transport are not impacted, nor are those using authentication or external access restrictions.", "description_and_impact": "The vulnerability arises from the absence of Host header validation on HTTP requests received by certain transports of Apollo MCP Server. This oversight permits a malicious site to craft requests with a forged Host header, enabling DNS rebinding attacks that circumvent same-origin policy limitations. An attacker exploiting this flaw can invoke GraphQL\u2011based tools or access other resources that the local MCP server exposes, effectively performing actions on behalf of the local user. The weakness aligns with CWE\u2011346, which focuses on lack of input validation for request headers.", "risk_and_exploitability": "The CVSS score of 6.8 indicates a moderate risk level; EPSS data is not available and the vulnerability is not listed in the KEV catalog. Exploitation requires that a user visits a malicious website while the MCP server is running locally, leveraging DNS rebinding to supply a forged Host header. With the attacker\u2019s ability to execute tools or retrieve resources locally, the impact could be significant for confidentiality, integrity, and availability of data or processes exposed by the MCP server. Deployments that restrict network interfaces or enforce authentication significantly reduce exploitable surface area."}}}}, "created": "2026-04-10T08:38:45.938052+00:00", "updated": "2026-04-10T09:29:29.069803+00:00", "vendors": ["apollographql", "apollographql$PRODUCT$apollo-mcp-server"]}