Home / Vulnerability Intelligence / CVE-2026-32621

CVE-2026-32621 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 16, 2026

Apollo Federation - Prototype Pollution

Published: March 16, 2026Updated: March 16, 2026Remote Exploitable

Overview

Apollo Federation < 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2 contains a prototype pollution vulnerability caused by crafted operations or JSON payloads targeting Object.prototype in the gateway, letting attackers manipulate prototype-inheritable properties, exploit requires crafted queries or compromised subgraph.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 2.9%(Probability of exploitation in next 30 days)

Impact

Attackers can manipulate Object.prototype, potentially leading to application logic corruption or denial of service.

Mitigation

Update to versions 2.9.6, 2.10.5, 2.11.6, 2.12.3, or 2.13.2 or later.

References

https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 16, 2026

🔴 CVE-2026-32621 - Critical (9.9) Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.pr... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32621/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32621
Severity: Critical
CVSS Score: 9.9
Type: prototype_pollution
Status: unconfirmed
EPSS: 2.9%
Social Posts: 1

CWE

CWE-1321

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS Score

2.9%Probability of exploitation in the next 30 days