CVE-2026-32247
Cypher Injection in Graphiti Affects Neo4j, FalkorDB, Neptune
Publication date: 2026-03-12
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getzep | graphiti | to 0.28.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-943 | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32247 is a Cypher injection vulnerability found in Graphiti versions before 0.28.2. Graphiti is a framework used for building and querying temporal context graphs for AI agents. The vulnerability occurs because attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without proper validation or sanitization. This allows an attacker to inject malicious Cypher queries into the database query construction process.
The issue affects non-Kuzu backends such as Neo4j, FalkorDB, and Neptune, since Kuzu uses parameterized label handling and is not vulnerable. In MCP deployments, exploitation could happen not only through direct untrusted access to the Graphiti MCP server but also via prompt injection attacks against LLM clients that invoke search_nodes with attacker-controlled entity_types values, which map to the vulnerable node_labels.
The vulnerability was mitigated in Graphiti version 0.28.2 by implementing strict validation and sanitization of node labels and group IDs before they are used in Cypher query construction, preventing injection attacks.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows an attacker to execute arbitrary Cypher queries with the privileges of the graph database connection. This can lead to unauthorized reading, modification, or deletion of graph data.
Additionally, the attacker can bypass logical group isolation enforced at the query layer, potentially accessing data that should be restricted.
In MCP deployments, exploitation can occur not only through direct untrusted access but also through prompt injection attacks against LLM clients, increasing the attack surface.
The vulnerability has a high severity CVSS v3.1 base score of 8.1, indicating a significant risk with network attack vector, low attack complexity, and high impact on confidentiality and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-32247 vulnerability, you should immediately upgrade Graphiti to version 0.28.2 or later, which includes security fixes that validate and sanitize inputs used in Cypher queries to prevent injection attacks.
- Upgrade Graphiti to version 0.28.2 or newer.
- Restrict access to Graphiti MCP tools from untrusted users or untrusted LLM workflows that process prompts.
- Avoid passing untrusted values into SearchFilters.node_labels or MCP entity_types parameters.
- Limit graph database credentials to the minimal necessary privileges to reduce impact if exploited.