CVE-2026-35577 Overview
CVE-2026-35577 is a DNS Rebinding vulnerability affecting Apollo MCP Server, a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. This weakness could allow a malicious website to bypass same-origin policy restrictions and issue unauthorized requests to a local MCP server instance.
Critical Impact
Attackers could leverage DNS rebinding techniques to invoke tools or access resources exposed by the MCP server on behalf of local users running the server on localhost.
Affected Products
- Apollo MCP Server versions prior to 1.7.0
- Deployments using HTTP-based transport modes (StreamableHTTP)
- Local server instances bound to localhost without authentication
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-35577 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35577
Vulnerability Analysis
This vulnerability stems from insufficient Host header validation in Apollo MCP Server's HTTP request handling mechanism. The weakness is classified under CWE-346 (Origin Validation Error), which occurs when an application fails to properly verify the origin or source of an incoming communication. In this case, when the server operates in StreamableHTTP transport mode, it does not adequately validate the Host header, creating an opportunity for DNS rebinding attacks.
DNS rebinding is a technique where an attacker manipulates DNS resolution to bypass the browser's same-origin policy. By controlling a malicious domain that initially resolves to the attacker's server and then rebinds to 127.0.0.1 (localhost), an attacker can trick a victim's browser into sending requests to local services as if they originated from the same origin.
The vulnerability requires user interaction—specifically, a victim must visit a malicious website while running the vulnerable MCP server locally. The practical exploitability is limited by several factors: deployments using authentication mechanisms, network-level access controls, or stdio transport mode are not affected.
Root Cause
The root cause of CVE-2026-35577 is the absence of Host header validation in the StreamableHTTP transport implementation. When processing incoming HTTP requests, the server failed to verify that the Host header matched expected values (such as localhost or 127.0.0.1), allowing requests with arbitrary Host headers to be processed. This missing validation enables DNS rebinding attacks to succeed against localhost-bound server instances.
Attack Vector
The attack vector for this vulnerability operates through the network and requires user interaction. An attacker would need to:
- Set up a malicious website with JavaScript code designed to exploit DNS rebinding
- Configure a domain with a short DNS TTL that initially resolves to the attacker's IP
- Lure a victim running a vulnerable Apollo MCP Server locally to visit the malicious site
- After the initial page load, the attacker rebinds the DNS to resolve to 127.0.0.1
- The victim's browser, believing requests are going to the same origin, sends requests to the local MCP server
- The attacker can then invoke MCP tools or access resources through the victim's browser
The attack is limited to scenarios where the MCP server is bound to localhost without authentication. Servers using stdio transport are not vulnerable as they do not expose an HTTP endpoint. For detailed technical information, see the GitHub Security Advisory GHSA-wqrj-vp8w-f8vh.
Detection Methods for CVE-2026-35577
Indicators of Compromise
- Unusual HTTP requests to local MCP server instances with suspicious or unexpected Host headers
- Web server logs showing requests with mismatched Host headers that don't correspond to legitimate localhost values
- GraphQL operations being invoked without corresponding legitimate user activity
Detection Strategies
- Monitor HTTP server logs for incoming requests with Host headers that don't match expected localhost values (localhost, 127.0.0.1, ::1)
- Implement web application firewall rules to flag requests with anomalous Host header patterns
- Review browser developer console logs for unexpected cross-origin requests to localhost ports
Monitoring Recommendations
- Enable verbose logging on Apollo MCP Server instances to capture all incoming HTTP requests with their headers
- Deploy network monitoring tools to detect unusual DNS resolution patterns that may indicate rebinding attempts
- Monitor for rapid DNS TTL changes on domains accessing local services
How to Mitigate CVE-2026-35577
Immediate Actions Required
- Upgrade Apollo MCP Server to version 1.7.0 or later immediately
- If upgrade is not immediately possible, implement authentication on the MCP server endpoint
- Consider switching to stdio transport mode if HTTP transport is not strictly required
- Apply network-level access controls to restrict which hosts can connect to the MCP server
Patch Information
The vulnerability has been addressed in Apollo MCP Server version 1.7.0. The fix implements proper Host header validation to prevent DNS rebinding attacks. Details of the fix can be found in GitHub Pull Request #602 and GitHub Pull Request #635.
Workarounds
- Enable authentication on the MCP server to require valid credentials for all requests
- Configure network-level access controls (firewall rules) to restrict connections to trusted sources only
- Avoid binding the MCP server to localhost interfaces accessible to web browsers
- Use stdio transport mode instead of HTTP-based StreamableHTTP transport when possible
# Example: Restricting access to MCP server via iptables
# Allow only specific trusted IP addresses to access the MCP server port
iptables -A INPUT -p tcp --dport 3000 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
