CVE-2026-33286

EPSS 0.05%
Veröffentlicht 23.03.2026 23:52:30
Zuletzt bearbeitet 25.03.2026 17:18:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Graphiti ≫ Graphiti SwPlatformruby Version < 1.10.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.162

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-913 Improper Control of Dynamically-Managed Code Resources

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2

Vendor Advisory

Mitigation

https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54

Patch

https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33286

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33286

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33286

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33286