-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2026-33286.yml
More file actions
53 lines (44 loc) · 2 KB
/
Copy pathCVE-2026-33286.yml
File metadata and controls
53 lines (44 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
---
gem: graphiti
cve: 2026-33286
ghsa: 3m5v-4xp5-gjg2
url: https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
title: Graphiti Affected by Arbitrary Method Execution via
Unvalidated Relationship Names
date: 2026-03-20
description: |
### Summary
An arbitrary method execution vulnerability has been found which
affects Graphiti's JSONAPI write functionality. An attacker can
craft a malicious JSONAPI payload with arbitrary relationship
names to invoke any public method on the underlying model
instance, class or its associations.
### Impact
Any application exposing Graphiti write endpoints (create/update/delete)
to untrusted users is affected.
The `Graphiti::Util::ValidationResponse#all_valid?` method recursively
calls `model.send(name)` using relationship names taken directly from
user-supplied JSONAPI payloads, without validating them against the
resource's configured sideloads. This allows an attacker to potentially
run any public method on a given model instance, on the instance class
or associated instances or classes, including destructive operations.
### Patches
This is patched in Graphiti **v1.10.2**.
Users should upgrade as soon as possible.
### Workarounds
If upgrading to v1.10.2 is not immediately possible, consider one
or more of the following mitigations:
- **Restrict write access**: Ensure Graphiti write endpoints
(create/update/delete) are not accessible to untrusted users.
- **Authentication & authorisation**: Apply strong authentication
and authorisation checks before any write operation is processed,
for example use Rails strong parameters to ensure only valid
parameters are processed."
cvss_v3: 9.1
patched_versions:
- ">= 1.10.2"
related:
url:
- https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
- https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/graphiti/CVE-2026-33286.yml
- https://github.com/advisories/GHSA-3m5v-4xp5-gjg2