CVE-2026-32621

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32621

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32621.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32621

Aliases

GHSA-pfjj-6f4p-rvmh

Downstream

ROOT-APP-NPM-CVE-2026-32621

Published

2026-03-13T20:29:54.875Z

Modified

2026-04-10T05:42:24.713770Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Apollo Federation has prototype pollution via incomplete key sanitization

Details

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32621.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ]
}

References

Affected packages

Git / github.com/apollographql/federation

Affected ranges

Type

GIT

Repo

https://github.com/apollographql/federation

Events

Introduced

bda422b9e98aa10f0dc672a5c44c0037c4797171

Fixed

83f0ae4daef7b44318d263dcb3a2496f3afa046e

Database specific

{
    "versions": [
        {
            "introduced": "2.13.0-preview.0"
        },
        {
            "fixed": "2.13.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/apollographql/federation

Events

Introduced

74ca8517a4ce76e55e4f21ac71f82f1e9c5564d4

Fixed

f481a434a7a8bdd6b2537709e5fd72ae42af6dfd

Database specific

{
    "versions": [
        {
            "introduced": "2.12.0-preview.0"
        },
        {
            "fixed": "2.12.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/apollographql/federation

Events

Introduced

41bdeb73284a5527119f27e5e85e4cfdd6de7ef5

Fixed

2420f4cb2aef3ef61be46c3ee75cf6596699a4a1

Database specific

{
    "versions": [
        {
            "introduced": "2.11.0-preview.0"
        },
        {
            "fixed": "2.11.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/apollographql/federation

Events

Introduced

eee8a804859e880359313cf8a357182fded15bd7

Fixed

5ba3d0fedda182856ca5fe9312af4089d8950a16

Database specific

{
    "versions": [
        {
            "introduced": "2.10.0-alpha.0"
        },
        {
            "fixed": "2.10.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/apollographql/federation

Events

Introduced

Fixed

f4ef6ebd8de84116ca3bba861f5fb1af3ea0bbf0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.9.6"
        }
    ]
}

Affected versions

2.*

2.2.0-rc.0

@apollo/composition@2.*

@apollo/composition@2.0.0-alpha.0

@apollo/composition@2.0.0-alpha.1

@apollo/composition@2.0.0-alpha.6

@apollo/composition@2.12.0

@apollo/composition@2.12.0-preview.0

@apollo/composition@2.12.0-preview.1

@apollo/composition@2.12.0-preview.2

@apollo/composition@2.12.0-preview.3

@apollo/composition@2.12.0-preview.4

@apollo/composition@2.12.1

@apollo/composition@2.12.2

@apollo/composition@2.4.0

@apollo/composition@2.4.0-alpha.0

@apollo/composition@2.4.0-alpha.1

@apollo/composition@2.5.0

@apollo/composition@2.5.1

@apollo/composition@2.5.2

@apollo/composition@2.5.3

@apollo/composition@2.5.4

@apollo/composition@2.5.5

@apollo/composition@2.5.6

@apollo/composition@2.5.7

@apollo/composition@2.6.1

@apollo/composition@2.6.2

@apollo/composition@2.7.0

@apollo/composition@2.7.1

@apollo/composition@2.7.2

@apollo/composition@2.7.3

@apollo/composition@2.7.4

@apollo/composition@2.7.5

@apollo/composition@2.7.6

@apollo/composition@2.7.7

@apollo/composition@2.8.0

@apollo/composition@2.8.0-alpha.0

@apollo/composition@2.8.0-alpha.1

@apollo/composition@2.8.1

@apollo/composition@2.8.2

@apollo/composition@2.8.3

@apollo/composition@2.8.4

@apollo/composition@2.8.5

@apollo/composition@2.9.0

@apollo/composition@2.9.1

@apollo/composition@2.9.2

@apollo/composition@2.9.3

@apollo/composition@2.9.4

@apollo/composition@2.9.5

@apollo/federation-internals@2.*

@apollo/federation-internals@2.0.0-alpha.0

@apollo/federation-internals@2.0.0-alpha.1

@apollo/federation-internals@2.0.0-alpha.6

@apollo/federation-internals@2.12.0

@apollo/federation-internals@2.12.0-preview.0

@apollo/federation-internals@2.12.0-preview.1

@apollo/federation-internals@2.12.0-preview.2

@apollo/federation-internals@2.12.0-preview.3

@apollo/federation-internals@2.12.0-preview.4

@apollo/federation-internals@2.12.1

@apollo/federation-internals@2.12.2

@apollo/federation-internals@2.4.0

@apollo/federation-internals@2.4.0-alpha.0

@apollo/federation-internals@2.4.0-alpha.1

@apollo/federation-internals@2.5.0

@apollo/federation-internals@2.5.1

@apollo/federation-internals@2.5.2

@apollo/federation-internals@2.5.3

@apollo/federation-internals@2.5.4

@apollo/federation-internals@2.5.5

@apollo/federation-internals@2.5.6

@apollo/federation-internals@2.5.7

@apollo/federation-internals@2.6.1

@apollo/federation-internals@2.6.2

@apollo/federation-internals@2.7.0

@apollo/federation-internals@2.7.1

@apollo/federation-internals@2.7.2

@apollo/federation-internals@2.7.3

@apollo/federation-internals@2.7.4

@apollo/federation-internals@2.7.5

@apollo/federation-internals@2.7.6

@apollo/federation-internals@2.7.7

@apollo/federation-internals@2.8.0

@apollo/federation-internals@2.8.0-alpha.0

@apollo/federation-internals@2.8.0-alpha.1

@apollo/federation-internals@2.8.1

@apollo/federation-internals@2.8.2

@apollo/federation-internals@2.8.3

@apollo/federation-internals@2.8.4

@apollo/federation-internals@2.8.5

@apollo/federation-internals@2.9.0

@apollo/federation-internals@2.9.1

@apollo/federation-internals@2.9.2

@apollo/federation-internals@2.9.3

@apollo/federation-internals@2.9.4

@apollo/federation-internals@2.9.5

@apollo/federation@0.*

@apollo/federation@0.20.1

@apollo/federation@0.20.2

@apollo/federation@0.20.3

@apollo/federation@0.20.4

@apollo/federation@0.20.5

@apollo/federation@0.20.6

@apollo/federation@0.20.7

@apollo/federation@0.21.0

@apollo/federation@0.21.1

@apollo/federation@0.21.2

@apollo/federation@0.22.0

@apollo/federation@0.23.1

@apollo/federation@0.23.2

@apollo/federation@0.24.0

@apollo/federation@0.25.0

@apollo/federation@0.25.1

@apollo/federation@0.25.2

@apollo/federation@0.27.1

@apollo/federation@0.28.0

@apollo/federation@0.30.0

@apollo/federation@0.33.4

@apollo/federation@2.*

@apollo/federation@2.0.0-alpha.0

@apollo/federation@2.0.0-alpha.1

@apollo/gateway@0.*

@apollo/gateway@0.20.1

@apollo/gateway@0.20.2

@apollo/gateway@0.20.3

@apollo/gateway@0.20.4

@apollo/gateway@0.21.0

@apollo/gateway@0.21.1

@apollo/gateway@0.21.2

@apollo/gateway@0.21.3

@apollo/gateway@0.21.4

@apollo/gateway@0.22.0

@apollo/gateway@0.23.1

@apollo/gateway@0.23.2

@apollo/gateway@0.24.0

@apollo/gateway@0.24.1

@apollo/gateway@0.24.2

@apollo/gateway@0.24.3

@apollo/gateway@0.24.4

@apollo/gateway@0.25.1

@apollo/gateway@0.26.1

@apollo/gateway@0.26.2

@apollo/gateway@0.26.3

@apollo/gateway@0.27.0

@apollo/gateway@0.27.1

@apollo/gateway@0.28.0

@apollo/gateway@0.28.1

@apollo/gateway@0.28.2

@apollo/gateway@0.28.3

@apollo/gateway@0.29.0

@apollo/gateway@0.29.1

@apollo/gateway@0.30.0

@apollo/gateway@0.31.1

@apollo/gateway@0.32.0

@apollo/gateway@0.35.1

@apollo/gateway@0.36.0

@apollo/gateway@0.39.0

@apollo/gateway@0.42.4

@apollo/gateway@2.*

@apollo/gateway@2.0.0-alpha.0

@apollo/gateway@2.0.0-alpha.1

@apollo/gateway@2.0.0-alpha.6

@apollo/gateway@2.12.0

@apollo/gateway@2.12.0-preview.0

@apollo/gateway@2.12.0-preview.1

@apollo/gateway@2.12.0-preview.2

@apollo/gateway@2.12.0-preview.3

@apollo/gateway@2.12.0-preview.4

@apollo/gateway@2.12.1

@apollo/gateway@2.12.2

@apollo/gateway@2.4.0

@apollo/gateway@2.4.0-alpha.0

@apollo/gateway@2.4.0-alpha.1

@apollo/gateway@2.5.0

@apollo/gateway@2.5.1

@apollo/gateway@2.5.2

@apollo/gateway@2.5.3

@apollo/gateway@2.5.4

@apollo/gateway@2.5.5

@apollo/gateway@2.5.6

@apollo/gateway@2.5.7

@apollo/gateway@2.6.1

@apollo/gateway@2.6.2

@apollo/gateway@2.7.0

@apollo/gateway@2.7.1

@apollo/gateway@2.7.2

@apollo/gateway@2.7.3

@apollo/gateway@2.7.4

@apollo/gateway@2.7.5

@apollo/gateway@2.7.6

@apollo/gateway@2.7.7

@apollo/gateway@2.8.0

@apollo/gateway@2.8.0-alpha.0

@apollo/gateway@2.8.0-alpha.1

@apollo/gateway@2.8.1

@apollo/gateway@2.8.2

@apollo/gateway@2.8.3

@apollo/gateway@2.8.4

@apollo/gateway@2.8.5

@apollo/gateway@2.9.0

@apollo/gateway@2.9.1

@apollo/gateway@2.9.2

@apollo/gateway@2.9.3

@apollo/gateway@2.9.4

@apollo/gateway@2.9.5

@apollo/harmonizer@0.*

@apollo/harmonizer@0.1.2

@apollo/harmonizer@0.1.4

@apollo/harmonizer@0.1.5

@apollo/harmonizer@0.2.0

@apollo/harmonizer@0.2.4

@apollo/harmonizer@0.2.5

@apollo/harmonizer@0.28.1

@apollo/harmonizer@0.3.2

@apollo/harmonizer@0.3.3

@apollo/harmonizer@0.30.0

@apollo/harmonizer@0.33.4

@apollo/harmonizer@2.*

@apollo/harmonizer@2.0.0-alpha.0

@apollo/harmonizer@2.0.0-alpha.1

@apollo/harmonizer@2.0.0-alpha.6

@apollo/query-graphs@2.*

@apollo/query-graphs@2.0.0-alpha.0

@apollo/query-graphs@2.0.0-alpha.1

@apollo/query-graphs@2.0.0-alpha.6

@apollo/query-graphs@2.12.0

@apollo/query-graphs@2.12.0-preview.0

@apollo/query-graphs@2.12.0-preview.1

@apollo/query-graphs@2.12.0-preview.2

@apollo/query-graphs@2.12.0-preview.3

@apollo/query-graphs@2.12.0-preview.4

@apollo/query-graphs@2.12.1

@apollo/query-graphs@2.12.2

@apollo/query-graphs@2.4.0

@apollo/query-graphs@2.4.0-alpha.0

@apollo/query-graphs@2.4.0-alpha.1

@apollo/query-graphs@2.5.0

@apollo/query-graphs@2.5.1

@apollo/query-graphs@2.5.2

@apollo/query-graphs@2.5.3

@apollo/query-graphs@2.5.4

@apollo/query-graphs@2.5.5

@apollo/query-graphs@2.5.6

@apollo/query-graphs@2.5.7

@apollo/query-graphs@2.6.1

@apollo/query-graphs@2.6.2

@apollo/query-graphs@2.7.0

@apollo/query-graphs@2.7.1

@apollo/query-graphs@2.7.2

@apollo/query-graphs@2.7.3

@apollo/query-graphs@2.7.4

@apollo/query-graphs@2.7.5

@apollo/query-graphs@2.7.6

@apollo/query-graphs@2.7.7

@apollo/query-graphs@2.8.0

@apollo/query-graphs@2.8.0-alpha.0

@apollo/query-graphs@2.8.0-alpha.1

@apollo/query-graphs@2.8.1

@apollo/query-graphs@2.8.2

@apollo/query-graphs@2.8.3

@apollo/query-graphs@2.8.4

@apollo/query-graphs@2.8.5

@apollo/query-graphs@2.9.0

@apollo/query-graphs@2.9.1

@apollo/query-graphs@2.9.2

@apollo/query-graphs@2.9.3

@apollo/query-graphs@2.9.4

@apollo/query-graphs@2.9.5

@apollo/query-planner-wasm@0.*

@apollo/query-planner-wasm@0.0.10

@apollo/query-planner-wasm@0.0.3

@apollo/query-planner-wasm@0.0.4

@apollo/query-planner-wasm@0.0.5

@apollo/query-planner-wasm@0.0.6

@apollo/query-planner-wasm@0.0.7

@apollo/query-planner-wasm@0.0.8

@apollo/query-planner-wasm@0.0.9

@apollo/query-planner-wasm@0.1.1

@apollo/query-planner-wasm@0.1.2

@apollo/query-planner-wasm@0.2.0

@apollo/query-planner-wasm@0.2.1

@apollo/query-planner-wasm@0.2.2

@apollo/query-planner-wasm@0.2.3

@apollo/query-planner-wasm@0.2.4

@apollo/query-planner-wasm@0.2.6

@apollo/query-planner@0.*

@apollo/query-planner@0.0.11

@apollo/query-planner@0.0.12

@apollo/query-planner@0.0.13

@apollo/query-planner@0.0.14

@apollo/query-planner@0.1.1

@apollo/query-planner@0.1.2

@apollo/query-planner@0.1.3

@apollo/query-planner@0.1.4

@apollo/query-planner@0.2.0

@apollo/query-planner@0.2.1

@apollo/query-planner@0.2.2

@apollo/query-planner@0.3.1

@apollo/query-planner@0.4.0

@apollo/query-planner@0.5.2

@apollo/query-planner@2.*

@apollo/query-planner@2.0.0-alpha.0

@apollo/query-planner@2.0.0-alpha.1

@apollo/query-planner@2.0.0-alpha.6

@apollo/query-planner@2.12.0

@apollo/query-planner@2.12.0-preview.0

@apollo/query-planner@2.12.0-preview.1

@apollo/query-planner@2.12.0-preview.2

@apollo/query-planner@2.12.0-preview.3

@apollo/query-planner@2.12.0-preview.4

@apollo/query-planner@2.12.1

@apollo/query-planner@2.12.2

@apollo/query-planner@2.4.0

@apollo/query-planner@2.4.0-alpha.0

@apollo/query-planner@2.4.0-alpha.1

@apollo/query-planner@2.5.0

@apollo/query-planner@2.5.1

@apollo/query-planner@2.5.2

@apollo/query-planner@2.5.3

@apollo/query-planner@2.5.4

@apollo/query-planner@2.5.5

@apollo/query-planner@2.5.6

@apollo/query-planner@2.5.7

@apollo/query-planner@2.6.1

@apollo/query-planner@2.6.2

@apollo/query-planner@2.7.0

@apollo/query-planner@2.7.1

@apollo/query-planner@2.7.2

@apollo/query-planner@2.7.3

@apollo/query-planner@2.7.4

@apollo/query-planner@2.7.5

@apollo/query-planner@2.7.6

@apollo/query-planner@2.7.7

@apollo/query-planner@2.8.0

@apollo/query-planner@2.8.0-alpha.0

@apollo/query-planner@2.8.0-alpha.1

@apollo/query-planner@2.8.1

@apollo/query-planner@2.8.2

@apollo/query-planner@2.8.3

@apollo/query-planner@2.8.4

@apollo/query-planner@2.8.5

@apollo/query-planner@2.9.0

@apollo/query-planner@2.9.1

@apollo/query-planner@2.9.2

@apollo/query-planner@2.9.3

@apollo/query-planner@2.9.4

@apollo/query-planner@2.9.5

@apollo/router-bridge@0.*

@apollo/router-bridge@0.1.1

@apollo/router-bridge@2.*

@apollo/router-bridge@2.0.0-alpha.0

@apollo/router-bridge@2.0.0-alpha.1

@apollo/router-bridge@2.0.0-alpha.6

@apollo/subgraph@0.*

@apollo/subgraph@0.1.3

@apollo/subgraph@2.*

@apollo/subgraph@2.0.0-alpha.0

@apollo/subgraph@2.0.0-alpha.1

@apollo/subgraph@2.0.0-alpha.6

@apollo/subgraph@2.12.0

@apollo/subgraph@2.12.0-preview.0

@apollo/subgraph@2.12.0-preview.1

@apollo/subgraph@2.12.0-preview.2

@apollo/subgraph@2.12.0-preview.3

@apollo/subgraph@2.12.0-preview.4

@apollo/subgraph@2.12.1

@apollo/subgraph@2.12.2

@apollo/subgraph@2.4.0

@apollo/subgraph@2.4.0-alpha.0

@apollo/subgraph@2.4.0-alpha.1

@apollo/subgraph@2.5.0

@apollo/subgraph@2.5.1

@apollo/subgraph@2.5.2

@apollo/subgraph@2.5.3

@apollo/subgraph@2.5.4

@apollo/subgraph@2.5.5

@apollo/subgraph@2.5.6

@apollo/subgraph@2.5.7

@apollo/subgraph@2.6.1

@apollo/subgraph@2.6.2

@apollo/subgraph@2.7.0

@apollo/subgraph@2.7.1

@apollo/subgraph@2.7.2

@apollo/subgraph@2.7.3

@apollo/subgraph@2.7.4

@apollo/subgraph@2.7.5

@apollo/subgraph@2.7.6

@apollo/subgraph@2.7.7

@apollo/subgraph@2.8.0

@apollo/subgraph@2.8.0-alpha.0

@apollo/subgraph@2.8.0-alpha.1

@apollo/subgraph@2.8.1

@apollo/subgraph@2.8.2

@apollo/subgraph@2.8.3

@apollo/subgraph@2.8.4

@apollo/subgraph@2.8.5

@apollo/subgraph@2.9.0

@apollo/subgraph@2.9.1

@apollo/subgraph@2.9.2

@apollo/subgraph@2.9.3

@apollo/subgraph@2.9.4

@apollo/subgraph@2.9.5

apollo-federation-integration-testsuite@0.*

apollo-federation-integration-testsuite@0.20.1

apollo-federation-integration-testsuite@0.20.2

apollo-federation-integration-testsuite@0.20.3

apollo-federation-integration-testsuite@0.20.4

apollo-federation-integration-testsuite@0.20.5

apollo-federation-integration-testsuite@0.21.0

apollo-federation-integration-testsuite@0.22.0

apollo-federation-integration-testsuite@0.23.1

apollo-federation-integration-testsuite@0.23.2

apollo-federation-integration-testsuite@0.23.3

apollo-federation-integration-testsuite@0.24.0

apollo-federation-integration-testsuite@0.25.0

apollo-federation-integration-testsuite@0.25.1

apollo-federation-integration-testsuite@0.28.0

apollo-federation-integration-testsuite@0.30.0

apollo-federation-integration-testsuite@0.33.2

apollo-federation-integration-testsuite@2.*

apollo-federation-integration-testsuite@2.0.0-alpha.0

apollo-federation-integration-testsuite@2.0.0-alpha.1

apollo-federation-integration-testsuite@2.0.0-alpha.6

Other

pre-cli-removal

publish/20200918220443

publish/20200921213411

publish/20200924175307

publish/20200925115025

publish/20200925115037

publish/20200925115045

publish/20200925115054

publish/20200930151034

publish/20201109161401

publish/20201119213556

publish/20201120184033

publish/20201204223135

publish/20210114172739

publish/20210226192245

publish/20210226202753

publish/20210310080736

publish/20210310082711

publish/20210310092238

publish/20210310092738

publish/20210310114707

publish/20210331111626

publish/20210405205933

publish/20210422213358

publish/20210426214525

publish/20210429133001

publish/20210429171631

publish/20210503102213

publish/20210510202305

publish/20210525001653

publish/20210610145647

publish/20210616192610

publish/20210616215933

publish/20210622204946

publish/20210702103216

publish/20210702222118

publish/20210727175430

publish/20210803175107

publish/20210826121431

publish/20211103085729

publish/20220214110600

publish/20220309170101

publish/20220309171736

stargate@0.*

stargate@0.0.1-alpha.0

v0.*

v0.0.3

v0.1.10

v0.1.8

v0.1.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32621.json"