diff --git a/gems/graphiti/CVE-2026-33286.yml b/gems/graphiti/CVE-2026-33286.yml
new file mode 100644
index 0000000000..ff7c28117e
--- /dev/null
+++ b/gems/graphiti/CVE-2026-33286.yml
@@ -0,0 +1,53 @@
+---
+gem: graphiti
+cve: 2026-33286
+ghsa: 3m5v-4xp5-gjg2
+url: https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
+title: Graphiti Affected by Arbitrary Method Execution via
+  Unvalidated Relationship Names
+date: 2026-03-20
+description: |
+  ### Summary
+
+  An arbitrary method execution vulnerability has been found which
+  affects Graphiti's JSONAPI write functionality. An attacker can
+  craft a malicious JSONAPI payload with arbitrary relationship
+  names to invoke any public method on the underlying model
+  instance, class or its associations.
+
+  ### Impact
+
+  Any application exposing Graphiti write endpoints (create/update/delete)
+  to untrusted users is affected.
+
+  The `Graphiti::Util::ValidationResponse#all_valid?` method recursively
+  calls `model.send(name)` using relationship names taken directly from
+  user-supplied JSONAPI payloads, without validating them against the
+  resource's configured sideloads. This allows an attacker to potentially
+  run any public method on a given model instance, on the instance class
+  or associated instances or classes, including destructive operations.
+
+  ### Patches
+
+  This is patched in Graphiti **v1.10.2**.
+  Users should upgrade as soon as possible.
+
+  ### Workarounds
+
+  If upgrading to v1.10.2 is not immediately possible, consider one
+  or more of the following mitigations:
+
+  - **Restrict write access**: Ensure Graphiti write endpoints
+    (create/update/delete) are not accessible to untrusted users.
+  - **Authentication & authorisation**: Apply strong authentication
+    and authorisation checks before any write operation is processed,
+    for example use Rails strong parameters to ensure only valid
+    parameters are processed."
+cvss_v3: 9.1
+patched_versions:
+  - ">= 1.10.2"
+related:
+  url:
+    - https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
+    - https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/graphiti/CVE-2026-33286.yml
+    - https://github.com/advisories/GHSA-3m5v-4xp5-gjg2