Prototype Pollution in Middleapi Orpc

CVE-2026-28794

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerab…

Vulnerability class: Prototype Pollution

EPSS: 0.009 (75.6th percentile) — read the EPSS interpretation.

Affected products

Middleapi Orpc — versions < 1.13.6

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc (x_refsource_CONFIRM)
https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5 (x_refsource_MISC)