Description
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.
Published: 2026-03-13
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution
Action: Immediate Patch
AI Analysis

Impact

Apollo Federation’s query plan execution performs incomplete sanitization of keys used in field aliases, variable names, and JSON responses, which allows a malicious actor to target JavaScript’s prototype‑inheritable properties and pollute Object.prototype. Pollution of the prototype can alter the behaviour of subsequent requests processed by the gateway. The advisory does not state that this leads to remote code execution; therefore the impact is limited to potential behaviour changes and, based on the description, it is inferred that a denial‑of‑service or other unintended functionality could result, but such effects are not confirmed by the vendor.

Affected Systems

The vulnerability exposes @apollo:federation‑internals, @apollo:gateway, and @apollo:query‑planner. All releases prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2 are affected as explicitly identified in the advisory’s version table.

Risk and Exploitability

The CVSS score of 9.9 classifies the flaw as critical, indicating a high potential for severe impact. The EPSS score is reported as less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation can occur by a malicious client crafting GraphQL operations with field aliases or variable names that target prototype‑inheritable properties, or by a compromised subgraph sending specially crafted JSON response payloads. Based on the description, it is inferred that no special privileges are required; thus an authenticated or unauthenticated user could potentially attempt exploitation.

Generated by OpenCVE AI on March 17, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @apollo:federation‑internals, @apollo:gateway, and @apollo:query‑planner to any of the fixed releases: 2.9.6, 2.10.5, 2.11.6, 2.12.3, or 2.13.2
  • If immediate upgrade is not possible, avoid using affected subgraphs or clients until a newer patch is applied

Generated by OpenCVE AI on March 17, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pfjj-6f4p-rvmh Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apollographql
Apollographql federation-internals
Apollographql gateway
Apollographql query-planner
Vendors & Products Apollographql
Apollographql federation-internals
Apollographql gateway
Apollographql query-planner

Fri, 13 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.
Title Apollo Federation has prototype pollution via incomplete key sanitization
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Apollographql Federation-internals Gateway Query-planner
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:14:57.335Z

Reserved: 2026-03-12T15:29:36.557Z

Link: CVE-2026-32621

cve-icon Vulnrichment

Updated: 2026-03-16T20:14:41.352Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:39.797

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-32621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:56Z

Weaknesses