Threat Advisory

Apify Actor MCP Server SSRF Vulnerability Leaks Tokens

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50143 with a CVSS score of 8.1 is a Server-Side Request Forgery (SSRF) vulnerability affecting the Apify Model Context Protocol (MCP) server package `@apify/actors-mcp-server` in versions prior to 0.10.11. This flaw exists because the server constructs Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled `webServerMcpPath` value without proper validation, enabling path authority injection. An attacker can exploit this by publishing a malicious Actor containing a crafted path, which tricks the URL parser into treating the request as destined for a hostile host rather than the legitimate Apify infrastructure. Consequently, the vulnerable MCP client unconditionally attaches the victim's `Authorization: Bearer` header to this connection, allowing the attacker to intercept and exfiltrate the sensitive API token. This compromise grants the attacker full access to the victim's Apify account, posing severe risks of data theft and resource abuse. Exploitation requires the victim to utilize the vulnerable client to interact with a malicious Actor definition, triggering the unauthorized credential transmission.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50143 with a CVSS score of 8.1 is a Server-Side Request Forgery (SSRF) vulnerability affecting the Apify Model Context Protocol (MCP) server package `@apify/actors-mcp-server` in versions prior to 0.10.11. This flaw exists because the server constructs Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled `webServerMcpPath` value without proper validation, enabling path authority injection. An attacker can exploit this by publishing a malicious Actor containing a crafted path, which tricks the URL parser into treating the request as destined for a hostile host rather than the legitimate Apify infrastructure. Consequently, the vulnerable MCP client unconditionally attaches the victim's `Authorization: Bearer` header to this connection, allowing the attacker to intercept and exfiltrate the sensitive API token. This compromise grants the attacker full access to the victim's Apify account, posing severe risks of data theft and resource abuse. Exploitation requires the victim to utilize the vulnerable client to interact with a malicious Actor definition, triggering the unauthorized credential transmission.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update apify actors-mcp-server to version 0.10.11.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-6gr2-qh89-hxwm

[/emaillocker]
crossmenu