CVE-2026-32247 (GCVE-0-2026-32247)
Vulnerability from cvelistv5 – Published: 2026-03-12 19:11 – Updated: 2026-03-13 16:17
VLAI?
Title
Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters
Summary
Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.
Severity ?
8.1 (High)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:17:48.028799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:17:58.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphiti",
"vendor": "getzep",
"versions": [
{
"status": "affected",
"version": "\u003c 0.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T19:11:29.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g"
},
{
"name": "https://github.com/getzep/graphiti/pull/1312",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getzep/graphiti/pull/1312"
},
{
"name": "https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037"
},
{
"name": "https://github.com/getzep/graphiti/releases/tag/v0.28.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getzep/graphiti/releases/tag/v0.28.2"
}
],
"source": {
"advisory": "GHSA-gg5m-55jj-8m5g",
"discovery": "UNKNOWN"
},
"title": "Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32247",
"datePublished": "2026-03-12T19:11:29.857Z",
"dateReserved": "2026-03-11T14:47:05.685Z",
"dateUpdated": "2026-03-13T16:17:58.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32247",
"date": "2026-04-23",
"epss": "0.00041",
"percentile": "0.12621"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32247\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-12T19:16:19.733\",\"lastModified\":\"2026-03-18T14:38:09.717\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.\"},{\"lang\":\"es\",\"value\":\"Graphiti es un framework para construir y consultar grafos de contexto temporal para agentes de IA. Las versiones de Graphiti anteriores a la 0.28.2 conten\u00edan una vulnerabilidad de inyecci\u00f3n Cypher en la construcci\u00f3n compartida de filtros de b\u00fasqueda para backends que no eran Kuzu. Los valores de etiquetas controlados por el atacante, suministrados a trav\u00e9s de SearchFilters.node_labels, se concatenaban directamente en expresiones de etiquetas Cypher sin validaci\u00f3n. En las implementaciones de MCP, esto era explotable no solo a trav\u00e9s del acceso directo no confiable al servidor MCP de Graphiti, sino tambi\u00e9n a trav\u00e9s de la inyecci\u00f3n de prompts contra un cliente LLM que pod\u00eda ser inducido a llamar a search_nodes con valores de entity_types controlados por el atacante. El servidor MCP mapeaba los entity_types a SearchFilters.node_labels, que luego alcanzaban la ruta de construcci\u00f3n Cypher vulnerable. Los backends afectados inclu\u00edan Neo4j, FalkorDB y Neptune. Kuzu no se vio afectado por el problema de inyecci\u00f3n de etiquetas porque utilizaba un manejo de etiquetas parametrizado en lugar de etiquetas Cypher interpoladas por cadena. Este problema se mitig\u00f3 en la 0.28.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-943\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getzep:graphiti:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.28.2\",\"matchCriteriaId\":\"5F936A08-BA4E-46CE-B94A-5819ACC1C584\"}]}]}],\"references\":[{\"url\":\"https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getzep/graphiti/pull/1312\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/getzep/graphiti/releases/tag/v0.28.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Mitigation\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32247\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T16:17:48.028799Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T16:17:54.664Z\"}}], \"cna\": {\"title\": \"Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters\", \"source\": {\"advisory\": \"GHSA-gg5m-55jj-8m5g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getzep\", \"product\": \"graphiti\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.28.2\"}]}], \"references\": [{\"url\": \"https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g\", \"name\": \"https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getzep/graphiti/pull/1312\", \"name\": \"https://github.com/getzep/graphiti/pull/1312\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037\", \"name\": \"https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getzep/graphiti/releases/tag/v0.28.2\", \"name\": \"https://github.com/getzep/graphiti/releases/tag/v0.28.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-943\", \"description\": \"CWE-943: Improper Neutralization of Special Elements in Data Query Logic\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T19:11:29.857Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32247\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T16:17:58.625Z\", \"dateReserved\": \"2026-03-11T14:47:05.685Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T19:11:29.857Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…