Arbitrary Method Execution Vulnerability in Graphiti Framework
CVE-2026-33286

9.1CRITICAL

Key Information:

Vendor

Graphiti-api

Status
Graphiti
Vendor
CVE Published:
23 March 2026

What is CVE-2026-33286?

The Graphiti framework, which provides a JSON:API-compliant interface for model interaction, has a vulnerability related to arbitrary method execution. This issue arises primarily from the handling of JSONAPI requests that allow attackers to craft malicious payloads. Specifically, the 'all_valid?' method in 'Graphiti::Util::ValidationResponse' directly calls model methods based on user input without proper validation. As a result, this flaw could permit untrusted users to execute any public methods, potentially leading to destructive outcomes. The vulnerability has been addressed in version 1.10.2, and users are strongly encouraged to upgrade promptly. Implementing robust authentication and authorization practices or restricting write access to trusted users is crucial for mitigating risks.

Affected Version(s)

graphiti < 1.10.2

References

https://github.com/graphiti-api/graphiti/security/advisor...
x_refsource_CONFIRM
https://github.com/graphiti-api/graphiti/commit/ddb5ad2b6...
x_refsource_MISC
https://github.com/graphiti-api/graphiti/releases/tag/v1....
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.