CVE-2026-32621
critical
CVSS v3
9.9
CVSS v2
—
VIR risk
9.9
Description
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Predictions
Exploit likelihood
98%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | @apollo/federation-internals | <2.9.6 | 2.9.6 |
| npm | @apollo/federation-internals | >=2.10.0,<2.10.5 | 2.10.5 |
| npm | @apollo/federation-internals | >=2.11.0,<2.11.6 | 2.11.6 |
| npm | @apollo/federation-internals | >=2.12.0,<2.12.3 | 2.12.3 |
| npm | @apollo/federation-internals | >=2.13.0,<2.13.2 | 2.13.2 |
| npm | @apollo/gateway | <2.9.6 | 2.9.6 |
| npm | @apollo/gateway | >=2.10.0,<2.10.5 | 2.10.5 |
| npm | @apollo/gateway | >=2.11.0,<2.11.6 | 2.11.6 |
| npm | @apollo/gateway | >=2.12.0,<2.12.3 | 2.12.3 |
| npm | @apollo/gateway | >=2.13.0,<2.13.2 | 2.13.2 |
| npm | @apollo/query-planner | <2.9.6 | 2.9.6 |
| npm | @apollo/query-planner | >=2.10.0,<2.10.5 | 2.10.5 |
| npm | @apollo/query-planner | >=2.11.0,<2.11.6 | 2.11.6 |
| npm | @apollo/query-planner | >=2.12.0,<2.12.3 | 2.12.3 |
| npm | @apollo/query-planner | >=2.13.0,<2.13.2 | 2.13.2 |
References
CWEs
CWE-1321
Verify integrity in audit chain (admin only). AS-IS.