Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32621

Apollo Federation has prototype pollution via incomplete key sanitization
Back to all
CVE

CVE-2026-32621

Apollo Federation has prototype pollution via incomplete key sanitization

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.9
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
C
H
U
-

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32621.json, https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh, https://nvd.nist.gov/vuln/detail/CVE-2026-32621

Severity

9.9

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.9
EPSS Probability
0.00043%
EPSS Percentile
0.13516%
Introduced Version
bda422b9e98aa10f0dc672a5c44c0037c4797171,74ca8517a4ce76e55e4f21ac71f82f1e9c5564d4,41bdeb73284a5527119f27e5e85e4cfdd6de7ef5,eee8a804859e880359313cf8a357182fded15bd7,0
Fix Available
83f0ae4daef7b44318d263dcb3a2496f3afa046e,f481a434a7a8bdd6b2537709e5fd72ae42af6dfd,2420f4cb2aef3ef61be46c3ee75cf6596699a4a1,5ba3d0fedda182856ca5fe9312af4089d8950a16,f4ef6ebd8de84116ca3bba861f5fb1af3ea0bbf0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading