CVE-2026-46341

MEDIUMPre-NVD 6.16.1

6.1

Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching

Summary

The fetch-apify-docs tool validates URLs against a domain allowlist using String.startsWith() instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains (e.g., https://docs.apify.com.evil.com/), enabling the tool to fetch and return arbitrary web content to the LLM.

Details

Vulnerable component

src/tools/common/fetch_apify_docs.ts, line 51:

const isAllowedDomain = ALLOWED_DOC_DOMAINS.some((domain) => url.startsWith(domain));

src/const.ts, lines 167-170:

export const ALLOWED_DOC_DOMAINS = [
    'https://docs.apify.com',
    'https://crawlee.dev',
] as const;

How the bypass works

String.startsWith('https://docs.apify.com') matches any string beginning with that prefix, including:

https://docs.apify.com.evil.com/payload - attacker-controlled subdomain
https://docs.apify.com@evil.com/payload - userinfo component in URL (browser behavior varies, but fetch() in Node.js may follow this)
https://docs.apify.com.evil.com:8080/path - custom port on attacker domain

All of these pass the startsWith check because they begin with the exact string https://docs.apify.com.

The fetched content is returned to the LLM

After the allowlist check passes, the tool fetches the URL and returns the full page content as markdown (fetch_apify_docs.ts:69-103):

const response = await fetch(url);
// ...
const html = await response.text();
markdown = htmlToMarkdown(html);
// ...
return buildMCPResponse({ texts: [Fetched content from ${url}:\n\n${markdown}], ... });

The HTML is converted to markdown and returned verbatim to the LLM. This creates a prompt injection vector - the attacker's page can contain instructions that the LLM may follow.

While tools like get-html-skeleton have no domain allowlist at all - it accepts any URL. The fetch-apify-docs tool was clearly intended to be more restricted (documentation-only), but the startsWith check defeats that intent.

PoC

{
  "method": "tools/call",
  "params": {
    "name": "fetch-apify-docs",
    "arguments": {
      "url": "https://docs.apify.com.evil.com/prompt-injection-payload"
    }
  }
}

The URL passes the startsWith('https://docs.apify.com') check, fetches the attacker's page, and returns its content to the LLM.

Impact

Prompt injection via fetched content: Attacker hosts a page at docs.apify.com.evil.com containing LLM instructions. When the tool fetches and returns this content, the LLM may follow the injected instructions.
Security boundary violation: The allowlist was explicitly designed to restrict fetching to trusted documentation domains. The bypass defeats this intent.
SSRF (limited): The tool can fetch from attacker-controlled servers, though the primary risk is the content returned to the LLM rather than network access.
Account compromise via _meta.apifyToken: Injected prompt instructions can direct the LLM to include a specific _meta.apifyToken (the server's per-request token feature) in subsequent call-actor invocations, redirecting billable operations to a victim's account or accessing their private Actors

CVSS v3: 6.1
EG Score: 6.1(low)
EPSS: —
KEV: Not listed

Published

May 19, 2026

Last Modified

May 19, 2026

Vendor Advisories for CVE-2026-46341(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-jwp7-wg77-3w9v
GitHub Security AdvisoriesMedium
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching

Data Freshness Timeline

(refreshed 7× in last 7d / 10× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

2026-06-09 21:33 UTCEG score recompute
2026-06-08 19:32 UTCEG score recompute
2026-06-07 14:09 UTCEG score recompute
2026-06-06 12:16 UTCEG score recompute
2026-06-05 10:26 UTCEG score recompute
2026-06-04 08:38 UTCEG score recompute
2026-06-03 06:49 UTCEG score recompute
2026-06-02 05:00 UTCEG score recompute
2026-06-01 03:11 UTCEG score recompute
2026-05-24 06:13 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-46341?

CVE-2026-46341 is a medium vulnerability published on May 19, 2026. Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching Summary The fetch-apify-docs tool validates URLs against a domain allowlist using String.startsWith() instead of proper URL hostname comparison. This allows bypass via…

When was CVE-2026-46341 disclosed?

CVE-2026-46341 was first published in the National Vulnerability Database on May 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

What is the CVSS score of CVE-2026-46341?

CVE-2026-46341 has a CVSS v4.0 base score of 6.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-46341?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46341, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-46341

Explore →

Is Your Infrastructure Affected by CVE-2026-46341?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs