Apollo Mcp Server

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest

CVE-2026-35577 MEDIUM This Month

Apollo MCP Server versions prior to 1.7.0 fail to validate HTTP Host headers on StreamableHTTP transport, allowing unauthenticated remote attackers with user interaction to bypass same-origin policy via DNS rebinding attacks and invoke GraphQL tools or access resources on behalf of a local user. The vulnerability is limited to HTTP-based deployments without network-level controls and does not affect stdio transport configurations. Vendor-released patch: version 1.7.0.

Authentication Bypass Apollo Mcp Server

NVD GitHub

CVSS 3.1

6.8

EPSS

0.0%

CVE-2026-35577

EPSS 0% CVSS 6.8

MEDIUM This Month

Apollo MCP Server versions prior to 1.7.0 fail to validate HTTP Host headers on StreamableHTTP transport, allowing unauthenticated remote attackers with user interaction to bypass same-origin policy via DNS rebinding attacks and invoke GraphQL tools or access resources on behalf of a local user. The vulnerability is limited to HTTP-based deployments without network-level controls and does not affect stdio transport configurations. Vendor-released patch: version 1.7.0.

Authentication Bypass Apollo Mcp Server

NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy