CVE-2026-32621
Description
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@apollo/federation-internalsnpm | < 2.9.6 | 2.9.6 |
@apollo/federation-internalsnpm | >= 2.10.0, < 2.10.5 | 2.10.5 |
@apollo/federation-internalsnpm | >= 2.11.0, < 2.11.6 | 2.11.6 |
@apollo/federation-internalsnpm | >= 2.12.0, < 2.12.3 | 2.12.3 |
@apollo/federation-internalsnpm | >= 2.13.0, < 2.13.2 | 2.13.2 |
@apollo/gatewaynpm | < 2.9.6 | 2.9.6 |
@apollo/gatewaynpm | >= 2.10.0, < 2.10.5 | 2.10.5 |
@apollo/gatewaynpm | >= 2.11.0, < 2.11.6 | 2.11.6 |
@apollo/gatewaynpm | >= 2.12.0, < 2.12.3 | 2.12.3 |
@apollo/gatewaynpm | >= 2.13.0, < 2.13.2 | 2.13.2 |
@apollo/query-plannernpm | < 2.9.6 | 2.9.6 |
@apollo/query-plannernpm | >= 2.10.0, < 2.10.5 | 2.10.5 |
@apollo/query-plannernpm | >= 2.11.0, < 2.11.6 | 2.11.6 |
@apollo/query-plannernpm | >= 2.12.0, < 2.12.3 | 2.12.3 |
@apollo/query-plannernpm | >= 2.13.0, < 2.13.2 | 2.13.2 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.