CVE-2026-50143 is a high-severity server-side request forgery (SSRF) vulnerability in @apify/actors-mcp-server (npm), affecting versions < 0.10.11. It is fixed in 0.10.11.
Actor MCP path authority injection leaks Apify token Summary @apify/actors-mcp-server version 0.10.7 builds Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled webServerMcpPath value taken from an Actor definition returned by the Apify API. An attacker who publishes a malicious Actor with a crafted webServerMcpPath (e.g., @attacker.example/mcp) can cause the MCP client to resolve the final URL to an entirely different host. Because the MCP client unconditionally attaches the victim's Authorization: Bearer <APIFYTOKEN> header to every outbound connection, the victim's Apify API token is exfiltrated to the attacker's server. CVSS Base Score: 8.1 (High). Details getActorMCPServerURL() in src/mcp/actors.ts:44 constructs the Actor standby MCP URL by naive string concatenation: mcpServerPath originates from the webServerMcpPath field of an Actor definition fetched from the Apify API (src/utils/actor.ts:24-28). The field is trimmed and comma-split in getActorMCPServerPath() (src/mcp/actors.ts:14-20) but is never validated to: begin with a / (relative path), avoid an @ character (userinfo/authority injection), or resolve to the same origin as standbyUrl. When webServerMcpPath is set to @attacker.example/mcp, the concatenated result becomes: Node.js's WHATWG URL parser treats everything before @ as userinfo and extracts attacker.example as the hostname. This is not an edge-case browser behavior, it is specified by RFC 3986 and the WHATWG URL standard. The constructed URL is forwarded to connectMCPClient() through three independent code paths: | Call site | Trigger | |---|---| | src/tools/core/callactorcommon.ts:317 | call-actor MCP tool | | src/utils/actordetails.ts:155 | fetch-actor-details MCP tool | | src/mcp/server.ts:1047 | actor-mcp type tool loading | connectMCPClient() (src/mcp/client.ts) attaches the victim's Apify token as a bearer credential to every transport type: There is no origin check anywhere between URL construction and the outbound HTTP request. Full data-flow chain: src/mcp/server.ts:811, MCP tools/call request parameters are read. src/mcp/server.ts:816, apifyToken is resolved from meta.apifyToken, server options, or process.env.APIFYTOKEN. src/tools/core/callactorcommon.ts:489-497, attacker-controlled actor identifier is resolved via getActorMcpUrlCached(). src/utils/actor.ts:24-28, Actor definition is fetched from the Apify API; webServerMcpPath is passed to getActorMCPServerURL(). src/mcp/actors.ts:14-20, webServerMcpPath is trimmed and split; first element is returned without path validation. src/mcp/actors.ts:44, standbyUrl + mcpServerPath produces an authority-injected URL. connectMCPClient() is called with the injected URL and the victim's token. src/mcp/client.ts:94/103/124, Authorization: Bearer <APIFYTOKEN> is sent to the attacker's host. PoC Environment requirements: Docker (network-isolated container; no external network access needed) The repository at commit 4e2b185 checked out under the build context Build and run: The Dockerfile: Generates a self-signed TLS certificate for 127.0.0.1 (IP SAN required for Node.js TLS validation). Installs @apify/[email protected] dependencies under pnpm. Sets NODEEXTRACACERTS so Node.js trusts the self-signed CA. Runs exploit.mjs, which: Starts an HTTPS capture server on 127.0.0.1:31337. Constructs a webServerMcpPath of @127.0.0.1:31337/mcp. Calls getActorMCPServerURL() directly, producing https://[email protected]:31337/mcp. Calls connectMCPClient() with a simulated victim token (apifyapiVICTIMSECRETTOKENDEMO12345). Asserts that the capture server received Authorization: Bearer apifyapiVICTIMSECRETTOKENDEMO12345. Observed output (Phase 2 evidence): Alternative MCP request path (real-world scenario): A victim running @apify/actors-mcp-server connected to an MCP host sends the following request, where attacker/malicious-mcp is an Actor published with webServerMcpPath = "@attacker.example/mcp": The attacker's server at attacker.example receives: URL parser primitive (Node.js REPL verification): Recommended fix: Impact Any user of @apify/actors-mcp-server who: has an Apify API token configured (via APIFYTOKEN, server options, or meta.apifyToken), and is induced to invoke call-actor, fetch-actor-details, or any actor-mcp type tool against an attacker-controlled Actor, will have their Apify API token silently exfiltrated to the attacker's server. The Apify API token grants full access to the victim's Apify account, including running and managing Actors, accessing stored data, and incurring compute charges. The attack requires no special privileges on the victim's side and no code execution on the victim's machine, only a crafted Actor definition on the Apify platform. This is a Server-Side Request Forgery (SSRF) / URL authority injection vulnerability. The attacker redirects the MCP client's outbound connection to an arbitrary host while the client continues to send the victim's credential. Reproduction artifacts Dockerfile poc.py
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-50143 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.10.11). Upgrading removes the vulnerable code path.
npm
@apify/actors-mcp-server (< 0.10.11)@apify/actors-mcp-server → 0.10.11 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-50143 is reachable in your applications. Explore AI application security for your team.
See if CVE-2026-50143 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-50143 in your environment →Upgrade @apify/actors-mcp-server to 0.10.11 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-50143 is a high-severity server-side request forgery (SSRF) vulnerability in @apify/actors-mcp-server (npm), affecting versions < 0.10.11. It is fixed in 0.10.11. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
CVE-2026-50143 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
@apify/actors-mcp-server (npm) versions < 0.10.11 is affected.
Yes. CVE-2026-50143 is fixed in 0.10.11. Upgrade to this version or later.
Whether CVE-2026-50143 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade @apify/actors-mcp-server to 0.10.11 or later.