CVE-2026-35577

Medium

Published: 09 April 2026

Published

09 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0003 7.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35577 is a medium-severity Origin Validation Error (CWE-346) vulnerability in Apollographql Apollo Mcp Server. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of HTTP Host header inputs to prevent DNS rebinding attacks that exploit unvalidated headers in the Apollo MCP Server.

SC-7 Boundary Protection good match

prevent

Implements boundary protection and network-level access controls to restrict incoming requests to the localhost-bound StreamableHTTP transport, mitigating exploitation from malicious websites.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies through mechanisms like Host header validation to block unauthorized logical access to GraphQL operations exposed as MCP tools.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Vulnerability enables exploitation via DNS rebinding from a malicious website visited by the user (bypassing origin validation on localhost server), directly facilitating drive-by compromise to invoke local tools/resources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations…

where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.

Deeper analysisAI

CVE-2026-35577 is a vulnerability in Apollo MCP Server, a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the server failed to validate the Host header on incoming HTTP requests when using StreamableHTTP transport. This issue, linked to CWE-346, carries a CVSS score of 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) and was published on 2026-04-09.

Attackers can exploit this vulnerability through DNS rebinding techniques from a malicious website visited by a user running the server locally on localhost without authentication or network controls. This bypasses same-origin policy restrictions, enabling the attacker's site to issue requests to the local MCP server on the user's behalf. Successful exploitation allows invocation of exposed tools or access to resources, though it requires user interaction and is limited to StreamableHTTP transport modes.

The vulnerability is addressed in Apollo MCP Server version 1.7.0. It does not impact stdio transport, and risks are mitigated by authentication, network-level access controls, or non-localhost bindings. Details are available in the GitHub security advisory (GHSA-wqrj-vp8w-f8vh) and related pull requests (#602, #635).

Details

CWE(s): CWE-346

Affected Products

apollographql

apollo mcp server

≤ 1.7.0

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, model context protocol, mcp, mcp, mcp, mcp, mcp

CVEs Like This One

CVE-2026-28403Shared CWE-346

CVE-2026-23897Same vendor: Apollographql

CVE-2026-2790Shared CWE-346

CVE-2026-41342Shared CWE-346

CVE-2022-50975Shared CWE-346

CVE-2022-50925Shared CWE-346

CVE-2025-7659Shared CWE-346

CVE-2026-34359Shared CWE-346

CVE-2026-41057Shared CWE-346

CVE-2026-23552Shared CWE-346

References

https://github.com/apollographql/apollo-mcp-server/pull/602
Issue Tracking · security-advisories@github.com
https://github.com/apollographql/apollo-mcp-server/pull/635
Issue Tracking · security-advisories@github.com
https://github.com/apollographql/apollo-mcp-server/security/advisories/GHSA-wqrj-vp8w-f8vh
Mitigation, Vendor Advisory · security-advisories@github.com