Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
oRPC before 1.13.6 allows attackers to inject malicious code
CVE-2026-28794
GHSA-m272-9rp6-32mc
GHSA-m272-9rp6-32mc
Summary
A critical vulnerability in oRPC's API builder tool can be exploited by attackers to inject malicious code into the system, potentially leading to security breaches, including authentication bypass, crashes, or code execution. To fix this, update oRPC to version 1.13.6 or later. If you can't update immediately, consider disabling the RPC JSON deserializer as a temporary workaround.
What to do
- Update orpc client to version 1.13.6.
- Update orpc @orpc/client to version 1.13.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| orpc | client | <= 1.13.5 | 1.13.6 |
| orpc | @orpc/client | <= 1.13.6 | 1.13.6 |
| orpc | orpc | <= 1.13.6 | – |
Original title
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer...
Original description
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
nvd CVSS4.0
9.3
Vulnerability type
CWE-1321
Prototype Pollution
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026