CVE-2026-28410

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773	Patch
https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:thegraph:graph_protocol_contracts:*:*:*:*:*:node.js:*:*

History

10 Mar 2026, 16:54

Type	Values Removed	Values Added
CPE		cpe:2.3:a:thegraph:graph_protocol_contracts::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
First Time		Thegraph graph Protocol Contracts Thegraph
References	~~() https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773 -~~	() https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773 - Patch
References	~~() https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r -~~	() https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r - Vendor Advisory

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) The Graph es un protocolo de indexación para consultar redes como Ethereum, IPFS, Polygon y otras blockchains. Antes de la versión 3.0.0, una falla en los contratos de adquisición de tokens permite a los usuarios acceder a tokens que deberían seguir bloqueados según su cronograma de adquisición de derechos. Este problema ha sido parcheado en la versión 3.0.0.

05 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 21:16

Updated : 2026-03-10 16:54

NVD link : CVE-2026-28410

Mitre link : CVE-2026-28410

CVE.ORG link : CVE-2026-28410

JSON object : View

Products Affected

thegraph

graph_protocol_contracts

CWE

CWE-284

Improper Access Control

CWE-682

Incorrect Calculation

{"id": "CVE-2026-28410", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T21:16:21.873", "references": [{"url": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-682"}]}], "descriptions": [{"lang": "en", "value": "The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0."}, {"lang": "es", "value": "The Graph es un protocolo de indexaci\u00f3n para consultar redes como Ethereum, IPFS, Polygon y otras blockchains. Antes de la versi\u00f3n 3.0.0, una falla en los contratos de adquisici\u00f3n de tokens permite a los usuarios acceder a tokens que deber\u00edan seguir bloqueados seg\u00fan su cronograma de adquisici\u00f3n de derechos. Este problema ha sido parcheado en la versi\u00f3n 3.0.0."}], "lastModified": "2026-03-10T16:54:26.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thegraph:graph_protocol_contracts:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E29EDF2F-7E8C-4363-A937-3A040088B08B", "versionEndExcluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}