CVE-2026-28794

CriticalPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0082 74.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote…

attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching to oRPC version 1.13.6 or later, eliminating the prototype pollution flaw in the JSON deserializer.

SI-10 Information Input Validation partial match

prevent

Validates structure and content of inputs to the RPC JSON deserializer, blocking specially crafted payloads that inject properties into Object.prototype.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Scans systems for vulnerabilities like CVE-2026-28794 in @orpc/client, identifying vulnerable versions for remediation.

Security SummaryAI

CVE-2026-28794 is a prototype pollution vulnerability (CWE-1321) in the RPC JSON deserializer of the @orpc/client package within oRPC, a tool for building end-to-end type-safe APIs that adhere to OpenAPI standards. It affects versions of oRPC prior to 1.13.6, running in Node.js environments, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit the vulnerability by sending specially crafted input to the deserializer, allowing them to inject arbitrary properties into the global Object.prototype. This pollution persists for the entire lifetime of the Node.js process and affects all objects created within it, potentially leading to authentication bypass, denial of service, and in some cases remote code execution.

The issue has been addressed in oRPC version 1.13.6. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc and the patching commit at https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5.

Details

CWE(s): CWE-1321

Affected Products

orpc

≤ 1.13.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing RPC JSON deserializer in a Node.js API framework via prototype pollution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5
Patch · security-advisories@github.com
https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc
Exploit, Vendor Advisory · security-advisories@github.com