CVE-2026-32621

Aliases:GHSA-pfjj-6f4p-rvmh
PUBLISHED
Published: 13 Mar 2026, 20:29
Last modified:13 Mar 2026, 20:29

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.9 CRITICAL
v3.1 (cve.org)
EPSS Score
0.03% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 Mar 2026, 20:29
Published
Vulnerability first disclosed

Description

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.

CVSS Metrics

  • v3.1CRITICALScore: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS Trends

Current EPSS score: 0.03% Percentile: 8%

Techniques & Countermeasures

  • CWE-1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

    The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Affected Systems

  • @apollofederation-internals

    ≥ 2.13.0-preview.0, < 2.13.2 | ≥ 2.12.0-preview.0, < 2.12.3 | ≥ 2.11.0-preview.0, < 2.11.6 | ≥ 2.10.0-alpha.0, < 2.10.5 | < 2.9.6

  • @apollogateway

    ≥ 2.13.0-preview.0, < 2.13.2 | ≥ 2.12.0-preview.0, < 2.12.3 | ≥ 2.11.0-preview.0, < 2.11.6 | ≥ 2.10.0-alpha.0, < 2.10.5 | < 2.9.6

  • @apolloquery-planner

    ≥ 2.13.0-preview.0, < 2.13.2 | ≥ 2.12.0-preview.0, < 2.12.3 | ≥ 2.11.0-preview.0, < 2.11.6 | ≥ 2.10.0-alpha.0, < 2.10.5 | < 2.9.6

  • @apollofederation-internals

    < 2.9.6 | ≥ 2.10.0, < 2.10.5 | ≥ 2.11.0, < 2.11.6 | ≥ 2.12.0, < 2.12.3 | ≥ 2.13.0, < 2.13.2

  • @apollogateway

    < 2.9.6 | ≥ 2.10.0, < 2.10.5 | ≥ 2.11.0, < 2.11.6 | ≥ 2.12.0, < 2.12.3 | ≥ 2.13.0, < 2.13.2

  • @apolloquery-planner

    < 2.9.6 | ≥ 2.10.0, < 2.10.5 | ≥ 2.11.0, < 2.11.6 | ≥ 2.12.0, < 2.12.3 | ≥ 2.13.0, < 2.13.2

References (2)