What is CVE-2026-32621?

CVE-2026-32621 is a critical-severity vulnerability in @Apollo Federation-internals, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 9.9/10. Published 2026-03-16.

How severe is CVE-2026-32621?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Prototype Pollution in @Apollo Federation-internals

CVE-2026-32621

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of O…

Vulnerability class: Prototype Pollution

EPSS: 0.000 (13.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L.

Affected products

@Apollo Federation-internals — versions >= 2.13.0-preview.0, < 2.13.2, >= 2.12.0-preview.0, < 2.12.3, >= 2.11.0-preview.0, < 2.11.6
@Apollo Gateway — versions >= 2.13.0-preview.0, < 2.13.2, >= 2.12.0-preview.0, < 2.12.3, >= 2.11.0-preview.0, < 2.11.6
@Apollo Query-planner — versions >= 2.13.0-preview.0, < 2.13.2, >= 2.12.0-preview.0, < 2.12.3, >= 2.11.0-preview.0, < 2.11.6

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-32621?: CVE-2026-32621 is a critical-severity vulnerability in @Apollo Federation-internals, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 9.9/10. Published 2026-03-16.
How severe is CVE-2026-32621?: Critical severity. CVSS v3 base score is 9.9 out of 10.