GHSA-jwp7-wg77-3w9v: Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
mediumvulnerabilityLLM-Specific
security
Summary
A domain allowlist (list of approved websites) in the Apify Model Context Protocol server is bypassed because it uses simple string prefix matching instead of proper URL validation. An attacker can create a fake subdomain like `https://docs.apify.com.evil.com/` that passes the check, allowing the tool to fetch arbitrary content from attacker-controlled servers and return it to the AI, which can lead to prompt injection (tricking the AI by hiding instructions in fetched content) and potential account compromise.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 19, 2026
Classification
Attack Type
Prompt InjectionRAG Poisoning
Attack SophisticationTrivial
Impact (CIA+S)
integrity
Affected Vendors
Affected Packages
@apify/actors-mcp-server@< 0.9.21 (fixed: 0.9.21)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-jwp7-wg77-3w9v
First tracked: May 19, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%