Description
Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.
Published: 2026-03-23
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary method execution on data models via unauthenticated write endpoints
Action: Immediate Patch
AI Analysis

Impact

Graphiti is an API framework that exposes data models via JSON:API. Packages prior to version 1.10.2 contain code that evaluates relationship names from client payloads without validation. When a write operation (create, update, delete) is called, the library recursively invokes model.send(name) on the supplied relationship names. This behavior allows an attacker who can send a malicious JSON:API payload to trigger any public method defined on the model instance, the model class, or its associations. The result can be arbitrary code execution, data manipulation, or other destructive actions, depending on the methods exposed by the application. The weakness is consistent with CWE‑913, representing vulnerability that permits an attacker to invoke unintended methods via improper input handling.

Affected Systems

Entities affected are applications built with Graphiti core library graphiti before version 1.10.2. The vulnerability is present in any codebase using the Graphiti JSONAPI write endpoints exposed to untrusted users. The product is the Ruby gem graphiti; any Rails or Ruby application that incorporates Graphiti for RESTful interfaces is at risk if those endpoints are reachable from external input. The commit reference showing the altered code and the release tag v1.10.2 are the primary indicators of the affected release range.

Risk and Exploitability

The vulnerability scores 9.1 on CVSS, indicating critical severity. EPSS below 1% shows the probability of widespread active exploitation is low at present, and it is not listed in the CISA KEV catalog. Nevertheless, the attack vector is HTTPS or HTTP to the write API, which can be reached by any authenticated or unauthenticated user if the endpoint is not protected. Because the flaw permits arbitrary method calls, a successful exploit could lead to data tampering, privilege escalation or denial of service. The advisory recommends upgrading immediately and applying access controls before the write operation; otherwise the risk remains high for any exposed Graphiti write interfaces.

Generated by OpenCVE AI on March 25, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediate upgrade to Graphiti v1.10.2 or newer
  • Restrict write endpoints (create/update/delete) so that only trusted users can invoke them
  • Implement strong authentication and authorization checks before processing any write request
  • Apply Rails strong parameters or equivalent input filtering to allow only explicitly permitted attributes
  • Monitor application logs for unexpected method calls or anomalous activity following the patch

Generated by OpenCVE AI on March 25, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3m5v-4xp5-gjg2 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
History

Wed, 25 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Graphiti
Graphiti graphiti
CPEs cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:*
Vendors & Products Graphiti
Graphiti graphiti

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Graphiti-api
Graphiti-api graphiti
Vendors & Products Graphiti-api
Graphiti-api graphiti

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.
Title Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Weaknesses CWE-913
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Graphiti Graphiti
Graphiti-api Graphiti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T13:35:27.686Z

Reserved: 2026-03-18T18:55:47.426Z

Link: CVE-2026-33286

cve-icon Vulnrichment

Updated: 2026-03-24T13:35:23.250Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:30.683

Modified: 2026-03-25T17:18:23.687

Link: CVE-2026-33286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:55Z

Weaknesses