CVE-2026-46341 in MCP ServerИнформация

Сводка

по MITRE • 16.07.2026

The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool in src/tools/common/fetch_apify_docs.ts validates allowlisted documentation domains with String.startsWith() rather than URL hostname comparison, allowing attacker-controlled URLs such as `https://docs.apify.com.evil.com/` and `https://[email protected]/` to pass the ALLOWED_DOC_DOMAINS check and return arbitrary fetched content to the LLM. This issue is fixed in version 0.9.21.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Ответственный

GitHub M

Резервировать

13.05.2026

Раскрытие

16.07.2026

Модерация

принято

Вход

VDB-379595

EPSS

0.00000

KEV

Нет

Деятельности

Низкий

Источники

Interested in the pricing of exploits?

See the underground prices here!