CVE-2026-32247
Received Received - Intake
Cypher Injection in Graphiti Affects Neo4j, FalkorDB, Neptune

Publication date: 2026-03-12

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32247
EUVD
EUVD-2026-11682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getzep graphiti to 0.28.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32247 is a Cypher injection vulnerability found in Graphiti versions before 0.28.2. Graphiti is a framework used for building and querying temporal context graphs for AI agents. The vulnerability occurs because attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without proper validation or sanitization. This allows an attacker to inject malicious Cypher queries into the database query construction process.

The issue affects non-Kuzu backends such as Neo4j, FalkorDB, and Neptune, since Kuzu uses parameterized label handling and is not vulnerable. In MCP deployments, exploitation could happen not only through direct untrusted access to the Graphiti MCP server but also via prompt injection attacks against LLM clients that invoke search_nodes with attacker-controlled entity_types values, which map to the vulnerable node_labels.

The vulnerability was mitigated in Graphiti version 0.28.2 by implementing strict validation and sanitization of node labels and group IDs before they are used in Cypher query construction, preventing injection attacks.

Impact Analysis

Successful exploitation of this vulnerability allows an attacker to execute arbitrary Cypher queries with the privileges of the graph database connection. This can lead to unauthorized reading, modification, or deletion of graph data.

Additionally, the attacker can bypass logical group isolation enforced at the query layer, potentially accessing data that should be restricted.

In MCP deployments, exploitation can occur not only through direct untrusted access but also through prompt injection attacks against LLM clients, increasing the attack surface.

The vulnerability has a high severity CVSS v3.1 base score of 8.1, indicating a significant risk with network attack vector, low attack complexity, and high impact on confidentiality and integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-32247 vulnerability, you should immediately upgrade Graphiti to version 0.28.2 or later, which includes security fixes that validate and sanitize inputs used in Cypher queries to prevent injection attacks.

  • Upgrade Graphiti to version 0.28.2 or newer.
  • Restrict access to Graphiti MCP tools from untrusted users or untrusted LLM workflows that process prompts.
  • Avoid passing untrusted values into SearchFilters.node_labels or MCP entity_types parameters.
  • Limit graph database credentials to the minimal necessary privileges to reduce impact if exploited.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart