CVE-2026-28794
Published: 06 March 2026
Summary
CVE-2026-28794 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Orpc Orpc. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching to oRPC version 1.13.6 or later, eliminating the prototype pollution flaw in the JSON deserializer.
Validates structure and content of inputs to the RPC JSON deserializer, blocking specially crafted payloads that inject properties into Object.prototype.
Scans systems for vulnerabilities like CVE-2026-28794 in @orpc/client, identifying vulnerable versions for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing RPC JSON deserializer in a Node.js API framework via prototype pollution.
NVD Description
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote…
more
attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
Deeper analysisAI
CVE-2026-28794 is a prototype pollution vulnerability (CWE-1321) in the RPC JSON deserializer of the @orpc/client package within oRPC, a tool for building end-to-end type-safe APIs that adhere to OpenAPI standards. It affects versions of oRPC prior to 1.13.6, running in Node.js environments, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Unauthenticated remote attackers can exploit the vulnerability by sending specially crafted input to the deserializer, allowing them to inject arbitrary properties into the global Object.prototype. This pollution persists for the entire lifetime of the Node.js process and affects all objects created within it, potentially leading to authentication bypass, denial of service, and in some cases remote code execution.
The issue has been addressed in oRPC version 1.13.6. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc and the patching commit at https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5.
Details
- CWE(s)