CVE-2026-33286
Arbitrary Method Execution in Graphiti JSONAPI Write Endpoints
Publication date: 2026-03-24
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| graphiti | graphiti | to 1.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-913 | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33286 is a critical vulnerability in the Graphiti framework, which exposes models via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution flaw in the JSONAPI write functionality (create/update/delete).'}, {'type': 'paragraph', 'content': "The vulnerability arises because the method Graphiti::Util::ValidationResponse#all_valid? calls model.send(name) recursively using relationship names taken directly from user-supplied JSONAPI payloads without validating them against the resource's configured sideloads."}, {'type': 'paragraph', 'content': 'This allows an attacker to craft malicious payloads with arbitrary relationship names to invoke any public method on the underlying model instance, its class, or associated instances/classes, potentially including destructive operations.'}, {'type': 'paragraph', 'content': 'The issue is due to improper input validation and improper control of dynamically-managed code resources, allowing execution of dynamically referenced methods based on untrusted input.'}, {'type': 'paragraph', 'content': 'This vulnerability is patched in Graphiti version 1.10.2.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of any public method on model instances, their classes, or associated classes.
An attacker can perform destructive operations that compromise data integrity and availability.
Because the attack vector is network-based with low complexity and requires no privileges or user interaction, any application exposing Graphiti write endpoints to untrusted users is at risk.
This can lead to loss or corruption of data and disruption of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and analyzing JSONAPI write requests (create/update/delete) sent to Graphiti endpoints for suspicious or unexpected relationship names in the payloads. Specifically, payloads containing arbitrary or invalid relationship names that are not defined as sideloads on the resource could indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the method Graphiti::Util::ValidationResponse#all_valid? invoking model methods based on user-supplied relationship names without validation, detection involves inspecting incoming JSONAPI payloads for unexpected relationship keys.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic inspection tools (e.g., tcpdump, Wireshark) or application-level logging to capture and review JSONAPI write requests. For example, you can use grep or jq on server logs to find suspicious payloads:'}, {'type': 'list_item', 'content': "grep 'POST /your-graphiti-write-endpoint' /path/to/access.log | jq '.data.relationships | keys[]' | sort | uniq"}, {'type': 'list_item', 'content': 'Use application logs to detect errors related to invalid relationships if the patched validator is in place.'}, {'type': 'paragraph', 'content': 'Additionally, enabling strict validation (as introduced in the patch) will cause invalid relationship payloads to raise exceptions or validation errors, which can be logged and monitored.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Graphiti to version 1.10.2 or later, where the vulnerability is patched by validating resource relationships in JSONAPI payloads.
Until upgrading, immediate steps include:
- Restrict access to Graphiti write endpoints (create/update/delete) so that only trusted and authenticated users can perform write operations.
- Implement strong authentication and authorization checks before processing any write requests.
- Use Rails strong parameters or equivalent mechanisms to whitelist and validate only expected and safe parameters, preventing arbitrary relationship names from being processed.
- Monitor logs for suspicious or invalid relationship names in JSONAPI payloads to detect potential exploitation attempts.