CVE-2026-32621

Name of the Vulnerable Software and Affected Versions Apollo Federation versions prior to 2.9.6 Apollo Federation versions prior to 2.10.5 Apollo Federation versions prior to 2.11.6 Apollo Federation versions prior to 2.12.3 Apollo Federation versions prior to 2.13.2

Description Apollo Federation is an architecture for composing APIs into a unified graph. A flaw exists in query plan execution within the gateway that can allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph is compromised, a malicious actor may be able to pollute Object.prototype by crafting JSON response payloads that target prototype-inheritable properties. Because Object.prototype is shared across the Node.js process, successful exploitation can affect subsequent requests to the gateway instance, potentially resulting in unexpected application behavior, privilege escalation, or data integrity issues. As of the date of this advisory, there are no reported exploitations of this issue.

Recommendations Upgrade to Apollo Federation version 2.9.6 or later. Upgrade to Apollo Federation version 2.10.5 or later. Upgrade to Apollo Federation version 2.11.6 or later. Upgrade to Apollo Federation version 2.12.3 or later. Upgrade to Apollo Federation version 2.13.2 or later.