Home / Vulnerability Intelligence / CVE-2026-32621

CVE-2026-32621 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 16, 2026

Apollo Federation - Prototype Pollution

Published: March 16, 2026Updated: March 16, 2026Remote Exploitable

Overview

Apollo Federation < 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2 contains a prototype pollution vulnerability caused by crafted operations or JSON payloads targeting Object.prototype in the gateway, letting attackers manipulate prototype-inheritable properties, exploit requires crafted queries or compromised subgraph.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 2.9%(Probability of exploitation in next 30 days)

Impact

Attackers can manipulate Object.prototype, potentially leading to application logic corruption or denial of service.

Mitigation

Update to versions 2.9.6, 2.10.5, 2.11.6, 2.12.3, or 2.13.2 or later.

References

https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 14, 2026

🚨 CRITICAL: CVE-2026-32621 in @Apollo federation-internals enables prototype pollution — risking code execution & data compromise. Affects versions <2.9.6, <2.10.5, <2.11.6, <2.12.3, <2.13.2. Patch now! https://radar.offseq.com/threat/cve-2026-32621-cwe-1321-improperly-controlled-modi-1de28d7f #OffSeq #CVE202632621 #GraphQL #Security

View original post

Related Resources

Details

CVE ID: CVE-2026-32621
Severity: Critical
CVSS Score: 9.9
Type: prototype_pollution
Status: unconfirmed
EPSS: 2.9%
Social Posts: 1

CWE

CWE-1321

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS Score

2.9%Probability of exploitation in the next 30 days