CVE-2026-46341: Domain Allowlist Bypass in @apify/actors-mcp-server via String Prefix Matching
A domain allowlist bypass vulnerability (CVE 2026 46341) affects @apify/actors mcp server versions < 0.9.21, rated 6.1 MEDIUM by CVSS v3.1. The fix is availabl…
Published on MyPrivateClaw
Jul 17, 2026, 5:05 PM UTC
Coverage date
Jul 17, 2026
Last updated
Jul 17, 2026, 5:05 PM UTC
News summary
CVE 2026 46341 is assigned to a domain allowlist bypass vulnerability in the @apify/actors mcp server npm package, affecting versions < 0.9.21. The vulnerability is CWE 20 (Improper Input Validation) and CWE 183 (Permissive List of Allowed Inputs), arising from the fetch apify docs tool using String.startsWith() for domain allowlist validation instead of proper URL hostname comparison. CVSS v3.1 base score is 6.1 MEDIUM with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attacked, low complexity, no privileges required but user interaction required, changed scope, and low confidentiality and integrity impact. The vulnerability is fixed in version 0.9.21 of @apify/actors mcp server, released on May 4, 2026 as GitHub release v0.9.21 (commit e39bdee530da1db0b3b3d3713558b33c9608e629 by MQ37 via PR 781). The fetch apify docs tool returns fetched HTML converted to mar…