CVE-2026-33286 (GCVE-0-2026-33286)
Vulnerability from cvelistv5 – Published: 2026-03-23 23:52 – Updated: 2026-03-24 13:35
VLAI?
Title
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Summary
Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.
Severity ?
9.1 (Critical)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| graphiti-api | graphiti |
Affected:
< 1.10.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33286",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:35:19.770094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:35:27.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphiti",
"vendor": "graphiti-api",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti\u0027s JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource\u0027s configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913: Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T23:52:30.381Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2"
},
{
"name": "https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54"
},
{
"name": "https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2"
}
],
"source": {
"advisory": "GHSA-3m5v-4xp5-gjg2",
"discovery": "UNKNOWN"
},
"title": "Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33286",
"datePublished": "2026-03-23T23:52:30.381Z",
"dateReserved": "2026-03-18T18:55:47.426Z",
"dateUpdated": "2026-03-24T13:35:27.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33286",
"date": "2026-04-27",
"epss": "0.00056",
"percentile": "0.1734"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33286\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-24T00:16:30.683\",\"lastModified\":\"2026-03-25T17:18:23.687\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti\u0027s JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource\u0027s configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.\"},{\"lang\":\"es\",\"value\":\"Graphiti es un framework que se asienta sobre modelos y los expone a trav\u00e9s de una interfaz compatible con JSON:API. Las versiones anteriores a la 1.10.2 tienen una vulnerabilidad de ejecuci\u00f3n arbitraria de m\u00e9todos que afecta la funcionalidad de escritura JSONAPI de Graphiti. Un atacante puede crear una carga \u00fatil JSONAPI maliciosa con nombres de relaci\u00f3n arbitrarios para invocar cualquier m\u00e9todo p\u00fablico en la instancia del modelo subyacente, la clase o sus asociaciones. Cualquier aplicaci\u00f3n que exponga puntos finales de escritura de Graphiti (crear/actualizar/eliminar) a usuarios no confiables se ve afectada. El m\u00e9todo \u0027Graphiti::Util::ValidationResponse#all_valid?\u0027 llama recursivamente a \u0027model.send(name)\u0027 utilizando nombres de relaci\u00f3n tomados directamente de las cargas \u00fatiles JSONAPI proporcionadas por el usuario, sin validarlos contra los sideloads configurados del recurso. Esto permite a un atacante ejecutar potencialmente cualquier m\u00e9todo p\u00fablico en una instancia de modelo dada, en la clase de la instancia o en instancias o clases asociadas, incluyendo operaciones destructivas. Esto est\u00e1 parcheado en Graphiti v1.10.2. Los usuarios deben actualizar lo antes posible. Algunas soluciones alternativas est\u00e1n disponibles. Aseg\u00farese de que los puntos finales de escritura de Graphiti (crear/actualizar) no sean accesibles para usuarios no confiables y/o aplique fuertes controles de autenticaci\u00f3n y autorizaci\u00f3n antes de que se procese cualquier operaci\u00f3n de escritura, por ejemplo, use los par\u00e1metros fuertes de Rails para asegurar que solo se procesen par\u00e1metros v\u00e1lidos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-913\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"1.10.2\",\"matchCriteriaId\":\"2C0B7C94-5FBF-428C-B558-7A56DA34C7D2\"}]}]}],\"references\":[{\"url\":\"https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Mitigation\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33286\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T13:35:19.770094Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T13:35:23.250Z\"}}], \"cna\": {\"title\": \"Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names\", \"source\": {\"advisory\": \"GHSA-3m5v-4xp5-gjg2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"graphiti-api\", \"product\": \"graphiti\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2\", \"name\": \"https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54\", \"name\": \"https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2\", \"name\": \"https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti\u0027s JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource\u0027s configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-913\", \"description\": \"CWE-913: Improper Control of Dynamically-Managed Code Resources\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T23:52:30.381Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33286\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T13:35:27.686Z\", \"dateReserved\": \"2026-03-18T18:55:47.426Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T23:52:30.381Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…