{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/token-exfiltration/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@apify/actors-mcp-server (0.10.7)"],"_cs_severities":["high"],"_cs_tags":["ssp-injection","ssrf","token-exfiltration","npm-package","cloud","saas"],"_cs_type":"advisory","_cs_vendors":["Apify"],"content_html":"\u003cp\u003eA critical Server-Side Request Forgery (SSRF) vulnerability, tracked as GHSA-6gr2-qh89-hxwm, exists in \u003ccode\u003e@apify/actors-mcp-server\u003c/code\u003e version \u003ccode\u003e0.10.7\u003c/code\u003e and earlier. This flaw allows an attacker to exfiltrate Apify API tokens from users who interact with a specially crafted malicious Actor. The vulnerability stems from improper validation of the \u003ccode\u003ewebServerMcpPath\u003c/code\u003e value, which is sourced from an attacker-controlled Actor definition. By injecting an authority (e.g., \u003ccode\u003e@attacker.example/mcp\u003c/code\u003e) into this path, an attacker can redirect the MCP client's outbound connection to an arbitrary host. Crucially, the MCP client unconditionally attaches the victim's \u003ccode\u003eAuthorization: Bearer \u0026lt;APIFY_TOKEN\u0026gt;\u003c/code\u003e header to these outbound connections, leading to the silent exfiltration of the API token. This grants the attacker full access to the victim's Apify account, enabling actions such as running and managing Actors, accessing stored data, and incurring compute charges, without requiring special privileges or code execution on the victim's machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker publishes a malicious Actor on the Apify platform, crafting its definition to include a \u003ccode\u003ewebServerMcpPath\u003c/code\u003e value designed for URL authority injection (e.g., \u003ccode\u003e@attacker.example/mcp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA victim, running \u003ccode\u003e@apify/actors-mcp-server\u003c/code\u003e (version \u003ccode\u003e0.10.7\u003c/code\u003e or earlier) and configured with an Apify API token, initiates an MCP tool call (e.g., \u003ccode\u003ecall-actor\u003c/code\u003e or \u003ccode\u003efetch-actor-details\u003c/code\u003e) targeting the attacker-controlled Actor.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapifyToken\u003c/code\u003e is resolved from environment variables, server options, or the MCP request's \u003ccode\u003e_meta.apifyToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application fetches the attacker's Actor definition from the Apify API, retrieving the malicious \u003ccode\u003ewebServerMcpPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetActorMCPServerURL()\u003c/code\u003e function receives the \u003ccode\u003ewebServerMcpPath\u003c/code\u003e, trims and splits it, but crucially performs no validation against authority injection.\u003c/li\u003e\n\u003cli\u003eThe function then concatenates a trusted \u003ccode\u003estandbyUrl\u003c/code\u003e with the malicious \u003ccode\u003emcpServerPath\u003c/code\u003e, creating an authority-injected URL (e.g., \u003ccode\u003ehttps://real-actor-id.apify.actor@attacker.example/mcp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econnectMCPClient()\u003c/code\u003e function is invoked with this crafted URL and the victim's Apify API token.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econnectMCPClient()\u003c/code\u003e then establishes an outbound HTTP connection to the attacker's server (\u003ccode\u003eattacker.example\u003c/code\u003e), sending the victim's \u003ccode\u003eAuthorization: Bearer \u0026lt;APIFY_TOKEN\u0026gt;\u003c/code\u003e header, thereby exfiltrating the token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAny user of \u003ccode\u003e@apify/actors-mcp-server\u003c/code\u003e versions prior to \u003ccode\u003e0.10.8\u003c/code\u003e who has an Apify API token configured and is induced to invoke an MCP tool against an attacker-controlled Actor will have their Apify API token silently exfiltrated. The exfiltrated token grants the attacker full administrative access to the victim's Apify account, allowing them to run, manage, and modify Actors, access sensitive data stored within the account, and potentially incur significant compute charges. The attack requires no special privileges on the victim's side and no code execution on their machine, only the interaction with a malicious Actor on the Apify platform, posing a significant risk to the integrity and confidentiality of user accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003e@apify/actors-mcp-server\u003c/code\u003e to version \u003ccode\u003e0.10.8\u003c/code\u003e or newer to remediate the URL authority injection vulnerability (GHSA-6gr2-qh89-hxwm).\u003c/li\u003e\n\u003cli\u003eImplement strict outbound network egress filtering to prevent unauthorized connections to unknown or untrusted domains, specifically monitoring for connections from \u003ccode\u003e@apify/actors-mcp-server\u003c/code\u003e processes that contain \u003ccode\u003eAuthorization: Bearer\u003c/code\u003e headers directed to domains other than \u003ccode\u003e*.apify.com\u003c/code\u003e or other explicitly allowed Apify infrastructure.\u003c/li\u003e\n\u003cli\u003eConsider using dedicated network monitoring tools to detect connections to suspicious IP addresses or domains (e.g., \u003ccode\u003eattacker.example\u003c/code\u003e or \u003ccode\u003e127.0.0.1\u003c/code\u003e as seen in PoC) from your Apify infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:22:45Z","date_published":"2026-07-03T12:22:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-apify-mcp-token-leak/","summary":"An attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in `@apify/actors-mcp-server` version `0.10.7` by crafting a malicious Actor definition to inject an arbitrary authority into a URL, causing the MCP client to exfiltrate the victim's Apify API token to the attacker's server, granting full access to their Apify account.","title":"Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token","url":"https://feed.craftedsignal.io/briefs/2026-07-apify-mcp-token-leak/"}],"language":"en","title":"CraftedSignal Threat Feed - Token-Exfiltration","version":"https://jsonfeed.org/version/1.1"}