cbcvebase.
CVE-2026-32621
published 2026-03-16

CVE-2026-32621: Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability…

PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAL
EPSS
0.51%
39.7th percentile
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
apollofederation-internals< 2.9.62.9.6
apollofederation-internals
apollofederation-internals
apollofederation-internals
apollofederation-internals
apollofederation-internals>= 0 < 2.9.62.9.6
apollofederation-internals>= 2.10.0 < 2.10.52.10.5
apollofederation-internals>= 2.11.0 < 2.11.62.11.6
apollofederation-internals>= 2.12.0 < 2.12.32.12.3
apollofederation-internals>= 2.13.0 < 2.13.22.13.2
apollogateway< 2.9.62.9.6
apollogateway
apollogateway
apollogateway
apollogateway
apollogateway>= 0 < 2.9.62.9.6
apollogateway>= 2.10.0 < 2.10.52.10.5
apollogateway>= 2.11.0 < 2.11.62.11.6
apollogateway>= 2.12.0 < 2.12.32.12.3
apollogateway>= 2.13.0 < 2.13.22.13.2
apolloquery-planner< 2.9.62.9.6
apolloquery-planner
apolloquery-planner
apolloquery-planner
apolloquery-planner
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.