VulnerableCode Package Details - pkg:gem/graphiti@1.0.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-phm6-bgnv-xuec Aliases: CVE-2026-33286 GHSA-3m5v-4xp5-gjg2	Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names ### Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. ### Impact Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. ### Patches This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. ### Workarounds If upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations: - Restrict write access: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users. - Authentication & authorisation: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed."	1.10.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-phm6-bgnv-xuec
Aliases:
CVE-2026-33286
GHSA-3m5v-4xp5-gjg2

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names ### Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. ### Impact Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. ### Patches This is patched in Graphiti **v1.10.2**. Users should upgrade as soon as possible. ### Workarounds If upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations: - **Restrict write access**: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users. - **Authentication & authorisation**: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed."

1.10.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:32:01.235760+00:00	GitLab Importer	Affected by	VCID-phm6-bgnv-xuec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/graphiti/CVE-2026-33286.yml	38.6.0

2026-06-06T07:32:01.235760+00:00

GitLab Importer

Affected by

VCID-phm6-bgnv-xuec

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/graphiti/CVE-2026-33286.yml

38.6.0

Next non-vulnerable version	1.10.2
Latest non-vulnerable version	1.10.2
Risk	4.5