CVE-2026-32621
published 2026-03-16CVE-2026-32621: Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability…
PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAL
EPSS
0.51%
39.7th percentile
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apollo | federation-internals | < 2.9.6 | 2.9.6 |
| apollo | federation-internals | — | — |
| apollo | federation-internals | — | — |
| apollo | federation-internals | — | — |
| apollo | federation-internals | — | — |
| apollo | federation-internals | >= 0 < 2.9.6 | 2.9.6 |
| apollo | federation-internals | >= 2.10.0 < 2.10.5 | 2.10.5 |
| apollo | federation-internals | >= 2.11.0 < 2.11.6 | 2.11.6 |
| apollo | federation-internals | >= 2.12.0 < 2.12.3 | 2.12.3 |
| apollo | federation-internals | >= 2.13.0 < 2.13.2 | 2.13.2 |
| apollo | gateway | < 2.9.6 | 2.9.6 |
| apollo | gateway | — | — |
| apollo | gateway | — | — |
| apollo | gateway | — | — |
| apollo | gateway | — | — |
| apollo | gateway | >= 0 < 2.9.6 | 2.9.6 |
| apollo | gateway | >= 2.10.0 < 2.10.5 | 2.10.5 |
| apollo | gateway | >= 2.11.0 < 2.11.6 | 2.11.6 |
| apollo | gateway | >= 2.12.0 < 2.12.3 | 2.12.3 |
| apollo | gateway | >= 2.13.0 < 2.13.2 | 2.13.2 |
| apollo | query-planner | < 2.9.6 | 2.9.6 |
| apollo | query-planner | — | — |
| apollo | query-planner | — | — |
| apollo | query-planner | — | — |
| apollo | query-planner | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
osv·2026-03-13
CVE-2026-32621 [CRITICAL] Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
### Impact
A vulnerability exists in query plan execution within the gateway that may allow pollution of `Object.prototype` in certain scenarios. A malicious client may be able to pollute `Object.prototype` in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute `Object.prototype` in gateway by crafting JSON response payloads that target prototype-inheritable properties.
Because `Object.prototype` is shared across the Node.js process, successful exploitation can affect subsequent requests to the gateway instance. This may result in
GHSA
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
ghsa·2026-03-13
CVE-2026-32621 [CRITICAL] CWE-1321 Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
### Impact
A vulnerability exists in query plan execution within the gateway that may allow pollution of `Object.prototype` in certain scenarios. A malicious client may be able to pollute `Object.prototype` in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute `Object.prototype` in gateway by crafting JSON response payloads that target prototype-inheritable properties.
Because `Object.prototype` is shared across the Node.js process, successful exploitation can affect subsequent requests to the gateway instance. This may result in
No detection rules found.
No public exploits indexed.
2026-03-16
Published