|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2026-33286 (graphiti): Graphiti Affected by Arbitrary Method Execution |
| 4 | + via Unvalidated Relationship Names' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- graphiti |
| 8 | +advisory: |
| 9 | + gem: graphiti |
| 10 | + cve: 2026-33286 |
| 11 | + ghsa: 3m5v-4xp5-gjg2 |
| 12 | + url: https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2 |
| 13 | + title: Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship |
| 14 | + Names |
| 15 | + date: 2026-03-20 |
| 16 | + description: | |
| 17 | + ### Summary |
| 18 | +
|
| 19 | + An arbitrary method execution vulnerability has been found which |
| 20 | + affects Graphiti's JSONAPI write functionality. An attacker can |
| 21 | + craft a malicious JSONAPI payload with arbitrary relationship |
| 22 | + names to invoke any public method on the underlying model |
| 23 | + instance, class or its associations. |
| 24 | +
|
| 25 | + ### Impact |
| 26 | +
|
| 27 | + Any application exposing Graphiti write endpoints (create/update/delete) |
| 28 | + to untrusted users is affected. |
| 29 | +
|
| 30 | + The `Graphiti::Util::ValidationResponse#all_valid?` method recursively |
| 31 | + calls `model.send(name)` using relationship names taken directly from |
| 32 | + user-supplied JSONAPI payloads, without validating them against the |
| 33 | + resource's configured sideloads. This allows an attacker to potentially |
| 34 | + run any public method on a given model instance, on the instance class |
| 35 | + or associated instances or classes, including destructive operations. |
| 36 | +
|
| 37 | + ### Patches |
| 38 | +
|
| 39 | + This is patched in Graphiti **v1.10.2**. |
| 40 | + Users should upgrade as soon as possible. |
| 41 | +
|
| 42 | + ### Workarounds |
| 43 | +
|
| 44 | + If upgrading to v1.10.2 is not immediately possible, consider one |
| 45 | + or more of the following mitigations: |
| 46 | +
|
| 47 | + - **Restrict write access**: Ensure Graphiti write endpoints |
| 48 | + (create/update/delete) are not accessible to untrusted users. |
| 49 | + - **Authentication & authorisation**: Apply strong authentication |
| 50 | + and authorisation checks before any write operation is processed, |
| 51 | + for example use Rails strong parameters to ensure only valid |
| 52 | + parameters are processed." |
| 53 | + cvss_v3: 9.1 |
| 54 | + patched_versions: |
| 55 | + - ">= 1.10.2" |
| 56 | + related: |
| 57 | + url: |
| 58 | + - https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2 |
| 59 | + - https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/graphiti/CVE-2026-33286.yml |
| 60 | + - https://github.com/advisories/GHSA-3m5v-4xp5-gjg2 |
| 61 | +--- |
0 commit comments