Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/graphiti@1.2.11

Type gem

Namespace

Name graphiti

Version 1.2.11

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.10.2

Latest_non_vulnerable_version 1.10.2

Affected_by_vulnerabilities

url VCID-ut8z-6qt8-qfav

vulnerability_id VCID-ut8z-6qt8-qfav

summary

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
### Summary

An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations.

### Impact

Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. 

The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations.

### Patches

This is patched in Graphiti **v1.10.2**. Users should upgrade as soon as possible.

### Workarounds

If upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations:

- **Restrict write access**: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users.
- **Authentication & authorisation**: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33286

reference_id

reference_type

scores

value	0.00056
scoring_system	epss
scoring_elements	0.17716
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33286

reference_url

https://github.com/graphiti-api/graphiti

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/graphiti-api/graphiti

reference_url

https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:35:19Z/

url

https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54

reference_url

https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:35:19Z/

url

https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2

reference_url

https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:35:19Z/

url

https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphiti/CVE-2026-33286.yml

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphiti/CVE-2026-33286.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33286

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33286

reference_url	https://github.com/advisories/GHSA-3m5v-4xp5-gjg2
reference_id	GHSA-3m5v-4xp5-gjg2
reference_type
scores
url	https://github.com/advisories/GHSA-3m5v-4xp5-gjg2

fixed_packages

url	pkg:gem/graphiti@1.10.2
purl	pkg:gem/graphiti@1.10.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/graphiti@1.10.2

aliases CVE-2026-33286, GHSA-3m5v-4xp5-gjg2

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ut8z-6qt8-qfav

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/graphiti@1.2.11

Package Instance