diff --git a/plugins/auth-core/src/static/auth/abac.util.ts b/plugins/auth-core/src/static/auth/abac.util.ts
index 70475136..2f0dcab4 100644
--- a/plugins/auth-core/src/static/auth/abac.util.ts
+++ b/plugins/auth-core/src/static/auth/abac.util.ts
@@ -9,6 +9,11 @@ export function getInvalidAttributes(
   // eslint-disable-next-line @typescript-eslint/ban-types
   data: Object
 ): string[] {
-  const filteredData = permission.filter(data);
+  // The structuredClone call is necessary because the
+  // `Permission.filter` function doesn't consider objects
+  // with null prototypes. And in graphql requests, the
+  // object passed here by the request interceptor is an object
+  // with a null prototype.
+  const filteredData = permission.filter(structuredClone(data));
   return Object.keys(data).filter((key) => !(key in filteredData));
 }