Graphiti is a framework for building and querying temporal context graphs for AI agents. Versions before 0.28.2 of the framework performed unsafe string concatenation of attacker‑controlled label values supplied through SearchFilters.node_labels directly into Cypher label expressions. This allows a Cypher injection flaw that can be used to execute arbitrary Cypher statements, potentially reading, modifying or deleting data in the underlying graph database. The vulnerability is rooted in a CWE‑943 weakness, an unsafe use of user input in query construction.

Any deployment of Getzep Graphiti using a version older than 0.28.2 that interacts with non‑Kuzu backends (Neo4j, FalkorDB, or Amazon Neptune) is affected. The flaw is triggered when SearchFilters.node_labels contain unsanitized values; it can be exploited via direct API access to the Graphiti MCP server or through prompt injection against an LLM client that causes the client to invoke search_nodes with attacker‑controlled entity_types that are mapped to node_labels. Deployments using the Kuzu backend are not vulnerable because Kuzu uses parameterized label handling.

The CVSS score of 8.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote – an attacker must be able to supply arbitrary node_labels through the public API or to induce the LLM client to send malicious prompt data. Because the flaw permits arbitrary query construction, an attacker could gain data confidentiality, integrity, or availability compromise of the graph database. The overall risk profile is high severity but low exploitation probability.