CRITICAL🇵🇱 Wersja polska

CVE-2026-32621

CVSS 9.9v3.1pub. 2026-03-16upd. 2026-04-28

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.

🤖 AI Analysis
How it works

A malicious client can cause Object.prototype poisoning directly in the gateway through properly crafted GraphQL operations containing field aliases or variable names pointing to prototype-inherited properties. Alternatively, if one of the subgraphs (subgraph) were compromised, an attacker could pollute Object.prototype in the gateway through crafted JSON responses containing keys referencing prototype-inherited properties. The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).

Impact

An attacker can modify global Object.prototype properties in the gateway runtime environment, which depending on context may lead to unauthorized data access, violation of integrity of processed requests, or service destabilization. The scope of breach includes high level of data confidentiality and integrity impact as well as moderate impact on availability, with the vulnerability crossing component boundaries (Scope: Changed).

Mitigation & patch

Apollo Federation should be updated to one of the patched versions: 2.9.6, 2.10.5, 2.11.6, 2.12.3, or 2.13.2. Detailed information is available in the official security advisory from the vendor at the address indicated in the references.

Who is affected

Apollo Federation in versions prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References