What is the severity of CVE-2026-28794?

CVE-2026-28794 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-28794?

No known public exploits are currently available for CVE-2026-28794.

Is there a patch available for CVE-2026-28794?

Yes, patches are available for CVE-2026-28794. Check the vendor advisories for update instructions.

CVE-2026-28794 - CVE Details, Severity, and Analysis

Summary

A critical Prototype Pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution.

Vulnerability Details

The root cause lies in the deserialize() method of StandardRPCJsonSerializer. When processing attacker-controlled path segments from the meta and maps arrays, the deserializer fails to implement validation or sanitization for dangerous JavaScript object keys, specifically __proto__ and constructor:

https://github.com/middleapi/orpc/blob/819ed2e0897b18a5d6a4ca85ba68568f055004a1/packages/client/src/adapters/standard/rpc-json-serializer.ts#L137-L213

There are two primary distinct write vectors available to an attacker:

The meta vector: Writes type-constrained values (e.g., Map, Set, Date) to arbitrary object paths.
The maps vector: Allows the injection of arbitrary string values. This occurs because the return value of getBlob(i) (which relies on FormData.get(i.toString())) is cast as Blob. Since this is strictly a TypeScript compile-time cast, the runtime execution allows standard text fields to return as arbitrary strings.

Crucially, this deserialization process occurs at the very beginning of the request lifecycle before any Zod schema validation takes place. Consequently, a malicious payload will successfully pollute the prototype even if the request is subsequently rejected by the validation layer.

This issue impacts all server adapters utilizing the RPC protocol.

Proof of Concept

To reproduce the vulnerability, set up the playgrounds/astro environment and start the development server using pnpm dev.

Run the following curl command to send a crafted payload:

curl -X POST http://localhost:4321/rpc/planet/create \
     -F 'data={"json":{},"meta":[],"maps":[["__proto__","role"]]}' \
     -F '0=admin'

Result: The deserializer evaluates maps, follows the __proto__ path, and maps index 0 to the string "admin". This immediately applies Object.prototype.role = "admin" across the entire Node.js server instance.

Impact

Servers relying on StandardRPCJsonSerializer for deserialization are immediately susceptible to global prototype pollution. The potential impacts including:

Privilege Escalation / Authorization Bypass: Attackers can bypass flawed security checks. For example, if the server relies on a defaulted property check like if (user.role === "admin"), the application will evaluate this as true for all users globally.
Remote Code Execution: If the application or its dependencies contain susceptible prototype pollution gadgets (e.g., dynamically executing shell commands or scripts based on object properties), this vulnerability can be leveraged into full RCE.
Denial of Service: Attackers can overwrite built-in methods (e.g., toString) or set objects into unexpected states, causing the application to crash or throw unhandled exceptions globally.