Cyber Resilience

CVE-2026-28794

CriticalPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0091 55.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28794 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Orpc Orpc. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-28794 is a prototype pollution vulnerability (CWE-1321) in the RPC JSON deserializer of the @orpc/client package within oRPC, a tool for building end-to-end type-safe APIs that adhere to OpenAPI standards. It affects versions of oRPC prior to 1.13.6, running in Node.js environments, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit the vulnerability by sending specially crafted input to the deserializer, allowing them to inject arbitrary properties into the global Object.prototype. This pollution persists for the entire lifetime of the Node.js process and affects all objects created within it, potentially leading to authentication bypass, denial of service, and in some cases remote code execution.

The issue has been addressed in oRPC version 1.13.6. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc and the patching commit at https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5.

EU & UK References

Vulnerability details

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote…

more

attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of a public-facing RPC JSON deserializer in a Node.js API framework via prototype pollution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33331Same product: Orpc Orpc
CVE-2026-29063Shared CWE-1321
CVE-2026-24888Shared CWE-1321
CVE-2026-45302Shared CWE-1321
CVE-2026-8657Shared CWE-1321
CVE-2025-61140Shared CWE-1321
CVE-2024-57077Shared CWE-1321
CVE-2026-34221Shared CWE-1321
CVE-2026-35209Shared CWE-1321
CVE-2026-33994Shared CWE-1321

Affected Assets

orpc
orpc
≤ 1.13.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching to oRPC version 1.13.6 or later, eliminating the prototype pollution flaw in the JSON deserializer.

prevent

Validates structure and content of inputs to the RPC JSON deserializer, blocking specially crafted payloads that inject properties into Object.prototype.

detect

Scans systems for vulnerabilities like CVE-2026-28794 in @orpc/client, identifying vulnerable versions for remediation.

References