Skip to content

GHSA/SYNC: 1 more new advisory - Mar21 #1017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
postmodern merged 1 commit into from
Mar 24, 2026
Merged

GHSA/SYNC: 1 more new advisory - Mar21 #1017

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions gems/graphiti/CVE-2026-33286.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
gem: graphiti
cve: 2026-33286
ghsa: 3m5v-4xp5-gjg2
url: https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
title: Graphiti Affected by Arbitrary Method Execution via
Unvalidated Relationship Names
date: 2026-03-20
description: |
### Summary

An arbitrary method execution vulnerability has been found which
affects Graphiti's JSONAPI write functionality. An attacker can
craft a malicious JSONAPI payload with arbitrary relationship
names to invoke any public method on the underlying model
instance, class or its associations.

### Impact

Any application exposing Graphiti write endpoints (create/update/delete)
to untrusted users is affected.

The `Graphiti::Util::ValidationResponse#all_valid?` method recursively
calls `model.send(name)` using relationship names taken directly from
user-supplied JSONAPI payloads, without validating them against the
resource's configured sideloads. This allows an attacker to potentially
run any public method on a given model instance, on the instance class
or associated instances or classes, including destructive operations.

### Patches

This is patched in Graphiti **v1.10.2**.
Users should upgrade as soon as possible.

### Workarounds

If upgrading to v1.10.2 is not immediately possible, consider one
or more of the following mitigations:

- **Restrict write access**: Ensure Graphiti write endpoints
(create/update/delete) are not accessible to untrusted users.
- **Authentication & authorisation**: Apply strong authentication
and authorisation checks before any write operation is processed,
for example use Rails strong parameters to ensure only valid
parameters are processed."
cvss_v3: 9.1
patched_versions:
- ">= 1.10.2"
related:
url:
- https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
- https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/graphiti/CVE-2026-33286.yml
- https://github.com/advisories/GHSA-3m5v-4xp5-gjg2
Loading