CVE-2026-46341 in MCP Server
Summary
by MITRE • 07/16/2026
The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool in src/tools/common/fetch_apify_docs.ts validates allowlisted documentation domains with String.startsWith() rather than URL hostname comparison, allowing attacker-controlled URLs such as `https://docs.apify.com.evil.com/` and `https://[email protected]/` to pass the ALLOWED_DOC_DOMAINS check and return arbitrary fetched content to the LLM. This issue is fixed in version 0.9.21.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Apify MCP server represents a critical path traversal and domain validation flaw that enables attackers to bypass security controls designed to restrict documentation access. The system's fetch-apify-docs tool was implemented with insufficient input validation mechanisms, specifically relying on String.startsWith() method for domain validation instead of proper URL hostname comparison. This design choice creates a fundamental security gap where malicious actors can manipulate URLs to appear as legitimate domains while actually pointing to unauthorized resources. The vulnerability affects the server's ability to enforce proper access controls when processing documentation requests from AI agents, potentially allowing unauthorized content retrieval and data exfiltration.
The technical implementation flaw stems from improper URL parsing and validation logic that fails to properly isolate and compare hostname components of URLs. When attackers construct malicious URLs such as `https://docs.apify.com.evil.com/` or `https://[email protected]/`, the String.startsWith() method evaluates only the string prefix rather than performing proper hostname resolution. This allows attackers to append arbitrary domains to the legitimate domain path, effectively bypassing the ALLOWED_DOC_DOMAINS whitelist check. The vulnerability demonstrates a classic security weakness where simple string operations are used instead of robust URL parsing and validation mechanisms, creating an attack surface that should have been restricted by proper input sanitization.
The operational impact of this vulnerability extends beyond simple data access control breaches to potentially enable more sophisticated attacks against the Apify ecosystem. When AI agents retrieve documentation content through the compromised validation mechanism, attackers can influence the information returned to language models, potentially leading to misinformation or injection of malicious content into AI responses. This creates a vector for both passive data exfiltration and active manipulation of AI agent behavior through crafted documentation responses. The vulnerability affects the integrity of the documentation fetching process and undermines trust in the system's ability to provide legitimate content while preventing unauthorized access to sensitive information.
This vulnerability aligns with CWE-20 Improper Input Validation and CWE-120 Buffer Overflow, as the improper string validation creates opportunities for path traversal and resource manipulation attacks. From an ATT&CK framework perspective, this represents a technique for privilege escalation through input manipulation and a method for initial access via exploitation of insecure validation routines. The fix implemented in version 0.9.21 addresses this issue by replacing String.startsWith() with proper URL hostname comparison methods that correctly parse and validate domain components. Organizations should implement comprehensive input validation controls, including proper URL parsing libraries, to prevent similar vulnerabilities from occurring in other security-critical components of their systems. The incident highlights the importance of using established security libraries and frameworks rather than implementing custom validation logic that may contain subtle but critical flaws.