{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32621", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.557Z", "datePublished": "2026-03-13T20:29:54.875Z", "dateUpdated": "2026-03-16T20:14:57.335Z"}, "containers": {"cna": {"title": "Apollo Federation has prototype pollution via incomplete key sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh"}], "affected": [{"vendor": "@apollo", "product": "federation-internals", "versions": [{"version": ">= 2.13.0-preview.0, < 2.13.2", "status": "affected"}, {"version": ">= 2.12.0-preview.0, < 2.12.3", "status": "affected"}, {"version": ">= 2.11.0-preview.0, < 2.11.6", "status": "affected"}, {"version": ">= 2.10.0-alpha.0, < 2.10.5", "status": "affected"}, {"version": "< 2.9.6", "status": "affected"}]}, {"vendor": "@apollo", "product": "gateway", "versions": [{"version": ">= 2.13.0-preview.0, < 2.13.2", "status": "affected"}, {"version": ">= 2.12.0-preview.0, < 2.12.3", "status": "affected"}, {"version": ">= 2.11.0-preview.0, < 2.11.6", "status": "affected"}, {"version": ">= 2.10.0-alpha.0, < 2.10.5", "status": "affected"}, {"version": "< 2.9.6", "status": "affected"}]}, {"vendor": "@apollo", "product": "query-planner", "versions": [{"version": ">= 2.13.0-preview.0, < 2.13.2", "status": "affected"}, {"version": ">= 2.12.0-preview.0, < 2.12.3", "status": "affected"}, {"version": ">= 2.11.0-preview.0, < 2.11.6", "status": "affected"}, {"version": ">= 2.10.0-alpha.0, < 2.10.5", "status": "affected"}, {"version": "< 2.9.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:29:54.875Z"}, "descriptions": [{"lang": "en", "value": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2."}], "source": {"advisory": "GHSA-pfjj-6f4p-rvmh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T20:14:28.668002Z", "id": "CVE-2026-32621", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:14:57.335Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32621", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:14:28.668002Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:14:41.352Z"}}], "cna": {"title": "Apollo Federation has prototype pollution via incomplete key sanitization", "source": {"advisory": "GHSA-pfjj-6f4p-rvmh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "@apollo", "product": "federation-internals", "versions": [{"status": "affected", "version": ">= 2.13.0-preview.0, < 2.13.2"}, {"status": "affected", "version": ">= 2.12.0-preview.0, < 2.12.3"}, {"status": "affected", "version": ">= 2.11.0-preview.0, < 2.11.6"}, {"status": "affected", "version": ">= 2.10.0-alpha.0, < 2.10.5"}, {"status": "affected", "version": "< 2.9.6"}]}, {"vendor": "@apollo", "product": "gateway", "versions": [{"status": "affected", "version": ">= 2.13.0-preview.0, < 2.13.2"}, {"status": "affected", "version": ">= 2.12.0-preview.0, < 2.12.3"}, {"status": "affected", "version": ">= 2.11.0-preview.0, < 2.11.6"}, {"status": "affected", "version": ">= 2.10.0-alpha.0, < 2.10.5"}, {"status": "affected", "version": "< 2.9.6"}]}, {"vendor": "@apollo", "product": "query-planner", "versions": [{"status": "affected", "version": ">= 2.13.0-preview.0, < 2.13.2"}, {"status": "affected", "version": ">= 2.12.0-preview.0, < 2.12.3"}, {"status": "affected", "version": ">= 2.11.0-preview.0, < 2.11.6"}, {"status": "affected", "version": ">= 2.10.0-alpha.0, < 2.10.5"}, {"status": "affected", "version": "< 2.9.6"}]}], "references": [{"url": "https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh", "name": "https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:29:54.875Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32621", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:14:57.335Z", "dateReserved": "2026-03-12T15:29:36.557Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T20:29:54.875Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2."}, {"lang": "es", "value": "Apollo Federation es una arquitectura para componer declarativamente APIs en un grafo unificado. Antes de 2.9.6, 2.10.5, 2.11.6, 2.12.3 y 2.13.2, existe una vulnerabilidad en la ejecuci\u00f3n del plan de consulta dentro del gateway que puede permitir la contaminaci\u00f3n de Object.prototype en ciertos escenarios. Un cliente malicioso puede ser capaz de contaminar Object.prototype en el gateway directamente elaborando operaciones con alias de campo y/o nombres de variables que apuntan a propiedades heredables del prototipo. Alternativamente, si un subgrafo fuera comprometido por un actor malicioso, podr\u00edan ser capaces de contaminar Object.prototype en el gateway elaborando cargas \u00fatiles de respuesta JSON que apuntan a propiedades heredables del prototipo. Esta vulnerabilidad est\u00e1 corregida en 2.9.6, 2.10.5, 2.11.6, 2.12.3 y 2.13.2."}], "id": "CVE-2026-32621", "lastModified": "2026-04-28T21:13:28.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:39.797", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.13.0-preview.0,2.13.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-preview.0,2.12.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.11.0-preview.0,2.11.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.0-alpha.0,2.10.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "federation-internals", "source": "cna", "vendor": "@apollo"}, "product": "federation-internals", "vendor": "apollographql"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.13.0-preview.0,2.13.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-preview.0,2.12.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.11.0-preview.0,2.11.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.0-alpha.0,2.10.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "gateway", "source": "cna", "vendor": "@apollo"}, "product": "gateway", "vendor": "apollographql"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.13.0-preview.0,2.13.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-preview.0,2.12.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.11.0-preview.0,2.11.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.0-alpha.0,2.10.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "query-planner", "source": "cna", "vendor": "@apollo"}, "product": "query-planner", "vendor": "apollographql"}], "analysis": {"en": {"generated_at": "2026-03-17T00:35:48.008183+00:00", "value": {"mitigation_remediation": ["Upgrade @apollo:federation\u2011internals, @apollo:gateway, and @apollo:query\u2011planner to any of the fixed releases: 2.9.6, 2.10.5, 2.11.6, 2.12.3, or 2.13.2", "If immediate upgrade is not possible, avoid using affected subgraphs or clients until a newer patch is applied"], "summary": {"action": "Immediate Patch", "impact": "Prototype Pollution"}, "threat_synthesis": {"affected_systems": "The vulnerability exposes @apollo:federation\u2011internals, @apollo:gateway, and @apollo:query\u2011planner. All releases prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2 are affected as explicitly identified in the advisory\u2019s version table.", "description_and_impact": "Apollo Federation\u2019s query plan execution performs incomplete sanitization of keys used in field aliases, variable names, and JSON responses, which allows a malicious actor to target JavaScript\u2019s prototype\u2011inheritable properties and pollute Object.prototype. Pollution of the prototype can alter the behaviour of subsequent requests processed by the gateway. The advisory does not state that this leads to remote code execution; therefore the impact is limited to potential behaviour changes and, based on the description, it is inferred that a denial\u2011of\u2011service or other unintended functionality could result, but such effects are not confirmed by the vendor.", "risk_and_exploitability": "The CVSS score of 9.9 classifies the flaw as critical, indicating a high potential for severe impact. The EPSS score is reported as less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation can occur by a malicious client crafting GraphQL operations with field aliases or variable names that target prototype\u2011inheritable properties, or by a compromised subgraph sending specially crafted JSON response payloads. Based on the description, it is inferred that no special privileges are required; thus an authenticated or unauthenticated user could potentially attempt exploitation."}}}}, "created": "2026-03-16T09:23:53.271302+00:00", "updated": "2026-03-23T13:39:56.746752+00:00", "vendors": ["apollographql", "apollographql$PRODUCT$federation-internals", "apollographql$PRODUCT$gateway", "apollographql$PRODUCT$query-planner"]}