Cyber Resilience

CVE-2026-35577

Medium

Published: 09 April 2026

Published
09 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0018 7.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35577 is a medium-severity Origin Validation Error (CWE-346) vulnerability in Apollographql Apollo Mcp Server. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35577 is a vulnerability in Apollo MCP Server, a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the server failed to validate the Host header on incoming HTTP requests when using StreamableHTTP transport. This issue, linked to CWE-346, carries a CVSS score of 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) and was published on 2026-04-09.

Attackers can exploit this vulnerability through DNS rebinding techniques from a malicious website visited by a user running the server locally on localhost without authentication or network controls. This bypasses same-origin policy restrictions, enabling the attacker's site to issue requests to the local MCP server on the user's behalf. Successful exploitation allows invocation of exposed tools or access to resources, though it requires user interaction and is limited to StreamableHTTP transport modes.

The vulnerability is addressed in Apollo MCP Server version 1.7.0. It does not impact stdio transport, and risks are mitigated by authentication, network-level access controls, or non-localhost bindings. Details are available in the GitHub security advisory (GHSA-wqrj-vp8w-f8vh) and related pull requests (#602, #635).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations…

more

where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Vulnerability enables exploitation via DNS rebinding from a malicious website visited by the user (bypassing origin validation on localhost server), directly facilitating drive-by compromise to invoke local tools/resources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9989Shared CWE-346
CVE-2026-28403Shared CWE-346
CVE-2026-23897Same vendor: Apollographql
CVE-2026-2790Shared CWE-346
CVE-2026-34927Shared CWE-346
CVE-2022-50925Shared CWE-346
CVE-2025-71217Shared CWE-346
CVE-2026-34929Shared CWE-346
CVE-2026-6508Shared CWE-346
CVE-2026-34930Shared CWE-346

Affected Assets

apollographql
apollo mcp server
≤ 1.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP Host header inputs to prevent DNS rebinding attacks that exploit unvalidated headers in the Apollo MCP Server.

prevent

Implements boundary protection and network-level access controls to restrict incoming requests to the localhost-bound StreamableHTTP transport, mitigating exploitation from malicious websites.

prevent

Enforces access control policies through mechanisms like Host header validation to block unauthorized logical access to GraphQL operations exposed as MCP tools.

References