CVE-2026-28794 is a prototype pollution vulnerability classified under CWE-1321, found in the RPC JSON deserializer component of the @orpc/client package within the middleapi orpc tool. The orpc tool facilitates building APIs that are end-to-end type-safe and compliant with OpenAPI standards. Versions prior to 1.13.6 allow unauthenticated remote attackers to manipulate the global Object.prototype by injecting arbitrary properties through crafted JSON payloads. Prototype pollution occurs when an attacker modifies the prototype of a base object, causing all objects inheriting from it to inherit malicious or unexpected properties. In Node.js environments, this pollution persists for the entire process lifetime, affecting all objects and potentially leading to severe consequences such as bypassing authentication mechanisms, causing denial of service by corrupting application logic, or even enabling remote code execution if exploited in conjunction with other vulnerabilities. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly dangerous. The issue was publicly disclosed and assigned a CVSS 4.0 score of 9.3, reflecting its critical impact on confidentiality, integrity, and availability. The vulnerability has been fixed in version 1.13.6 of the @orpc/client package, and users are strongly advised to upgrade. No known active exploits have been reported yet, but the ease of exploitation and potential impact make this a high-priority patch.

The impact of CVE-2026-28794 is significant for organizations using the middleapi orpc tool, especially those relying on the @orpc/client package versions prior to 1.13.6. Because the vulnerability allows unauthenticated remote attackers to inject properties into the global Object.prototype, it can compromise the integrity and confidentiality of applications by enabling authentication bypass and unauthorized access. The persistence of the pollution throughout the Node.js process lifetime means that all objects can be affected, potentially destabilizing application logic and causing denial of service. In worst-case scenarios, attackers may chain this vulnerability with others to achieve remote code execution, leading to full system compromise. This poses a critical risk to web services, APIs, and backend systems that depend on orpc for API construction and communication. The vulnerability's remote and unauthenticated nature increases the attack surface, making it a prime target for attackers seeking to exploit API infrastructures. Organizations that fail to patch may face data breaches, service outages, and reputational damage.

To mitigate CVE-2026-28794, organizations should immediately upgrade the @orpc/client package to version 1.13.6 or later, where the vulnerability has been patched. Beyond upgrading, developers should implement strict input validation and sanitization on all JSON payloads processed by RPC deserializers to prevent injection of malicious properties. Employ runtime security monitoring to detect unusual prototype modifications or anomalous object behaviors indicative of prototype pollution attacks. Use security linters and static analysis tools to identify unsafe object property assignments in codebases. Limit the privileges of Node.js processes running orpc-based services to reduce the impact of potential exploitation. Additionally, consider implementing application-layer firewalls or API gateways that can filter and block suspicious payloads targeting prototype pollution vectors. Regularly audit dependencies for known vulnerabilities and maintain an up-to-date inventory of packages to ensure timely patching.