Description
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.
Published: 2026-03-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized release of locked tokens
Action: Patch
AI Analysis

Impact

A flaw in the Graph Protocol’s token vesting contracts allows early access to tokens that should be locked by the vesting schedule. This results in users receiving tokens before the intended release date, undermining the intended allocation and potentially resulting in financial loss for token holders or depositors. The weakness corresponds to improper authorization handling and an incorrect manipulation of data, as indicated by the associated CWEs.

Affected Systems

The vulnerability affects the Graph Protocol Contracts developed by The Graph. It appears in all releases prior to version 3.0.0 that run on a Node.js environment. The latest patched release is v3.0.0; earlier versions remain vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. EPSS is reported as less than 1 %, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker interacting with the smart contract on the blockchain network, triggering the vulnerability through normal claim functions. No public exploit has been disclosed, but the flaw allows an attacker with transactional access to claim vested tokens early, thereby gaining an advantage in token distribution.

Generated by OpenCVE AI on April 16, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Graph Protocol Contracts v3.0.0 or later, which contains the patch for the vesting flaw.
  • If an upgrade is not immediately possible, restrict usage of the current contracts to a verified set of accounts and monitor for unauthorized claims.
  • After remediation, perform a code audit to confirm the vesting logic enforces the correct schedule and that no other early‑claim paths remain.

Generated by OpenCVE AI on April 16, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Thegraph
Thegraph graph Protocol Contracts
CPEs cpe:2.3:a:thegraph:graph_protocol_contracts:*:*:*:*:*:node.js:*:*
Vendors & Products Thegraph
Thegraph graph Protocol Contracts
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Graphprotocol
Graphprotocol contracts
Vendors & Products Graphprotocol
Graphprotocol contracts

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.
Title The Graph: Revocable vesting contracts allows early access to locked tokens
Weaknesses CWE-284
CWE-682
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Graphprotocol Contracts
Thegraph Graph Protocol Contracts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T17:54:59.280Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28410

cve-icon Vulnrichment

Updated: 2026-03-06T17:54:55.601Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:21.873

Modified: 2026-03-10T16:54:26.127

Link: CVE-2026-28410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses