CVE-2026-50143 — Apify MCP Server Token Leak via Path Authority Injection
AI relevance: MCP servers are the connective tissue for agentic AI tooling — a path injection flaw that leaks authentication tokens exposes the entire agent ecosystem to credential theft and downstream compromise.
- What: CVE-2026-50143 is a high-severity vulnerability in
@apify/actors-mcp-server(npm) that allows attackers to inject malicious actor paths via authority injection, causing the MCP server to leak Apify API tokens to unauthorized endpoints. - Discovery: Published July 2, 2026 via GitHub Advisory Database. The flaw was identified during security audits of the Apify MCP ecosystem as part of broader MCP supply-chain hardening efforts.
- Root cause: The MCP server failed to properly validate actor path parameters before passing them to downstream API calls. Attackers could craft path strings containing authority components (e.g.,
attacker.com@legitimate-actor) that bypassed input validation and redirected token-bearing requests to attacker-controlled infrastructure. - Impact scope: Any deployment using
@apify/actors-mcp-serverto expose Apify Actors as MCP tools for AI agents (Claude Code, Cursor, Codex CLI, Gemini CLI, etc.). This includes enterprise automation pipelines, agent workspaces, and CI/CD integrations. - Attack scenario: An attacker with access to prompt or influence agent tool calls (via poisoned MCP tool descriptions, indirect prompt injection in agent inputs, or compromised agent skills) could inject a malicious actor path. The MCP server would then send the user's Apify token to the attacker's endpoint, enabling full account takeover and access to all Actors, datasets, and key-value stores the token could reach.
- MCP supply-chain context: This is the latest in a wave of MCP-specific CVEs in 2026. Practical DevSecOps reported 30+ MCP CVEs in a 60-day window in mid-2026, with CVE-2026-33032 (CVSS 9.8) actively exploited. Microsoft's June 2026 security blog warned that MCP's "fastest-growing part of the agentic AI supply chain" status makes it a prime attack surface.
- Broader pattern: Path authority injection joins prompt injection, tool poisoning, token passthrough, and SSRF as the core MCP attack classes identified by n8n's July 1 security analysis. The common thread: MCP servers mix instructions and data in the same trust boundary, and validation gaps in either dimension become agent-level compromises.
- Remediation: Update
@apify/actors-mcp-serverto the latest patched version (check npm advisory for exact version). Audit logs for any unexpected outbound API calls containing Apify tokens. Rotate all Apify API tokens used in environments where the vulnerable server was deployed. Implement strict path validation that rejects authority components in actor identifiers.
Why it matters
MCP servers are becoming the default integration layer for agentic AI — they let Claude Code call your internal tools, let Cursor automate your workflow, let custom agents orchestrate multi-step tasks across services. But every MCP tool is a trust boundary: the agent trusts the tool to do what it says, and the tool trusts the agent to pass valid inputs. CVE-2026-50143 shows how a validation gap at that boundary can leak the most sensitive credential in the chain. For AI ops teams, this means MCP server security is not optional — it's the same as securing your API gateway or your CI/CD pipeline.
What to do
- Immediate: Check if your agent tooling uses
@apify/actors-mcp-server. If yes, update to the patched version immediately and rotate all Apify tokens. - Short-term: Audit all MCP server deployments for input validation on path parameters, actor IDs, and tool arguments. Treat MCP tool descriptions as untrusted input — scan for injection patterns in tool registration and runtime calls.
- Medium-term: Implement MCP server allowlisting: only permit agents to call explicitly approved MCP servers with explicitly approved tool definitions. Log all MCP tool calls with full argument traces for forensic review.
- Strategic: Adopt the MCP security controls outlined by Microsoft and n8n: OAuth 2.1 for MCP authentication, scoped tool calls, credential isolation, and human-in-the-loop approval for high-risk actions. The MCP ecosystem is maturing fast — but security controls are lagging adoption.