GHSA-3M5V-4XP5-GJG2

Vulnerability from github – Published: 2026-03-20 15:58 – Updated: 2026-03-25 21:33
VLAI?
Summary
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Details

Summary

An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations.

Impact

Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected.

The Graphiti::Util::ValidationResponse#all_valid? method recursively calls model.send(name) using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations.

Patches

This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible.

Workarounds

If upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations:

  • Restrict write access: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users.
  • Authentication & authorisation: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.10.1"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "graphiti"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T15:58:14Z",
    "nvd_published_at": "2026-03-24T00:16:30Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nAn arbitrary method execution vulnerability has been found which affects Graphiti\u0027s JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations.\n\n### Impact\n\nAny application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. \n\nThe `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource\u0027s configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations.\n\n### Patches\n\nThis is patched in Graphiti **v1.10.2**. Users should upgrade as soon as possible.\n\n### Workarounds\n\nIf upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations:\n\n- **Restrict write access**: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users.\n- **Authentication \u0026 authorisation**: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.",
  "id": "GHSA-3m5v-4xp5-gjg2",
  "modified": "2026-03-25T21:33:29Z",
  "published": "2026-03-20T15:58:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33286"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/graphiti-api/graphiti"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphiti/CVE-2026-33286.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.