The vulnerability identified as CVE-2026-28794 affects the orpc tool, specifically the @orpc/client package versions before 1.13.6. orpc is designed to build APIs that are end-to-end type-safe and compliant with OpenAPI standards. The flaw lies in the RPC JSON deserializer, which improperly controls the modification of object prototype attributes, a classic prototype pollution issue (CWE-1321). An attacker can remotely and without authentication inject arbitrary properties into the global Object.prototype. Since JavaScript objects inherit from this prototype, the injected properties affect all objects within the Node.js process, persisting for its lifetime. This can lead to severe security breaches including authentication bypass by manipulating security checks relying on object properties, denial of service through corrupted application state or crashes, and potentially remote code execution if the polluted prototype is leveraged in unsafe code paths. The vulnerability is remotely exploitable over the network without any user interaction, making it highly dangerous. The patch in version 1.13.6 addresses this by properly sanitizing and controlling prototype modifications during JSON deserialization. No known exploits are currently reported in the wild, but the high CVSS score (9.3) indicates critical severity and urgency for remediation.

The impact of this vulnerability is significant for organizations using orpc to build APIs, especially those exposing these APIs to untrusted or public networks. Prototype pollution can undermine the integrity and confidentiality of applications by enabling attackers to bypass authentication mechanisms, manipulate application logic, or cause denial of service by corrupting internal state. In worst cases, it can lead to remote code execution, allowing full system compromise. Since the pollution affects all objects globally within the Node.js process, the scope of impact is broad and can affect multiple components and services relying on orpc. This can result in data breaches, service outages, and loss of trust. Organizations in sectors with high API usage such as finance, healthcare, and technology are particularly vulnerable. The ease of exploitation without authentication or user interaction increases the risk of automated attacks and wormable exploits. Failure to patch promptly could lead to widespread exploitation once proof-of-concept or exploit code becomes available.

The primary and most effective mitigation is to upgrade the @orpc/client package to version 1.13.6 or later, where the vulnerability has been patched. Organizations should audit their dependencies to identify any usage of vulnerable orpc versions and prioritize updates. In addition, implement strict input validation and sanitization on all JSON inputs to reduce the risk of malicious payloads reaching the deserializer. Employ runtime monitoring and anomaly detection to identify suspicious prototype modifications or unusual application behavior indicative of exploitation attempts. Consider isolating orpc-based services in restricted environments or containers to limit the blast radius of potential attacks. Regularly review and update dependency management practices to quickly respond to newly disclosed vulnerabilities. Finally, conduct security testing including fuzzing and penetration testing focused on prototype pollution vectors to uncover any residual or related issues.