{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "2.13.0-preview.0" }, { "fixed": "2.13.2" } ] }, "events": [ { "introduced": "bda422b9e98aa10f0dc672a5c44c0037c4797171" }, { "fixed": "83f0ae4daef7b44318d263dcb3a2496f3afa046e" } ], "repo": "https://github.com/apollographql/federation", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "2.12.0-preview.0" }, { "fixed": "2.12.3" } ] }, "events": [ { "introduced": "74ca8517a4ce76e55e4f21ac71f82f1e9c5564d4" }, { "fixed": "f481a434a7a8bdd6b2537709e5fd72ae42af6dfd" } ], "repo": "https://github.com/apollographql/federation", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "2.11.0-preview.0" }, { "fixed": "2.11.6" } ] }, "events": [ { "introduced": "41bdeb73284a5527119f27e5e85e4cfdd6de7ef5" }, { "fixed": "2420f4cb2aef3ef61be46c3ee75cf6596699a4a1" } ], "repo": "https://github.com/apollographql/federation", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "2.10.0-alpha.0" }, { "fixed": "2.10.5" } ] }, "events": [ { "introduced": "eee8a804859e880359313cf8a357182fded15bd7" }, { "fixed": "5ba3d0fedda182856ca5fe9312af4089d8950a16" } ], "repo": "https://github.com/apollographql/federation", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "2.9.6" } ] }, "events": [ { "introduced": "0" }, { "fixed": "f4ef6ebd8de84116ca3bba861f5fb1af3ea0bbf0" } ], "repo": "https://github.com/apollographql/federation", "type": "GIT" } ] } ], "aliases": [ "GHSA-pfjj-6f4p-rvmh" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-1321" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32621.json" }, "details": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.", "id": "CVE-2026-32621", "modified": "2026-04-01T23:08:15.919036955Z", "published": "2026-03-13T20:29:54.875Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32621.json" }, { "type": "ADVISORY", "url": "https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32621" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "type": "CVSS_V3" } ], "summary": "Apollo Federation has prototype pollution via incomplete key sanitization" }