51 matches found
Improper Access Control
Apollo Federation is vulnerable to improper access control. The vulnerability is due to improper enforcement of user-defined access control directives on interface types and fields, which allows an attacker to bypass access restrictions by querying implementing object types and fields through...
CVE-2026-32621
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...
CVE-2026-32621
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...
Apollo Federation 安全漏洞
Apollo Federation is an architecture in the Apollo community that combines APIs into a unified graph through declarative methods. Vulnerabilities exist in versions of Apollo Federation before 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2. These vulnerabilities stem from vulnerabilities in the query...
EUVD-2026-12135
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization...
Prototype Pollution
Overview @apollo/federation-internals is an Apollo Federation internal utilities Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting...
GHSA-PFJJ-6F4P-RVMH Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Impact A vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target...
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Impact A vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target...
CVE-2026-32621 Apollo Federation has prototype pollution via incomplete key sanitization
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...
CVE-2026-32621
CVE-2026-32621 affects Apollo Federation’s gateway, with a root cause in query plan execution leading to possible pollution of Object.prototype. The advisory and CVE entry indicate the issue exists prior to fixes in versions 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, involving either crafted oper...
CVE-2026-32621 Apollo Federation has prototype pollution via incomplete key sanitization
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...
CVE-2026-32621
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...
CVE-2026-32621 Apollo Federation has prototype pollution via incomplete key sanitization
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...
PT-2026-25379
Name of the Vulnerable Software and Affected Versions Apollo Federation versions prior to 2.9.6 Apollo Federation versions prior to 2.10.5 Apollo Federation versions prior to 2.11.6 Apollo Federation versions prior to 2.12.3 Apollo Federation versions prior to 2.13.2 Description Apollo Federation...
CVE-2025-64530
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields...
EUVD-2025-197661
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields...
GHSA-M8JR-FXQX-8XX6 Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields...
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields...
EUVD-2025-180542
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields...
GHSA-MX7M-J9XF-62HW @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead...