Apify Model Context Protocol (MCP) Server: Actor MCP Path Authority Injection Leaks Apify Token
A vulnerability in `@apify/actors-mcp-server` version `0.10.7` allows an attacker to inject a malicious `webServerMcpPath` value, causing the MCP client to exfiltrate the victim's Apify API token to the attacker's server. This is a Server-Side Request Forgery (SSRF) / URL authority injection vulnerability with a CVSS Base Score of 8.1 (High).