CVE-2026-33286

{"id": "CVE-2026-33286", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-03-24T00:16:30.683", "references": [{"url": "https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2", "tags": ["Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-913"}]}], "descriptions": [{"lang": "en", "value": "Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed."}, {"lang": "es", "value": "Graphiti es un framework que se asienta sobre modelos y los expone a trav\u00e9s de una interfaz compatible con JSON:API. Las versiones anteriores a la 1.10.2 tienen una vulnerabilidad de ejecuci\u00f3n arbitraria de m\u00e9todos que afecta la funcionalidad de escritura JSONAPI de Graphiti. Un atacante puede crear una carga \u00fatil JSONAPI maliciosa con nombres de relaci\u00f3n arbitrarios para invocar cualquier m\u00e9todo p\u00fablico en la instancia del modelo subyacente, la clase o sus asociaciones. Cualquier aplicaci\u00f3n que exponga puntos finales de escritura de Graphiti (crear/actualizar/eliminar) a usuarios no confiables se ve afectada. El m\u00e9todo 'Graphiti::Util::ValidationResponse#all_valid?' llama recursivamente a 'model.send(name)' utilizando nombres de relaci\u00f3n tomados directamente de las cargas \u00fatiles JSONAPI proporcionadas por el usuario, sin validarlos contra los sideloads configurados del recurso. Esto permite a un atacante ejecutar potencialmente cualquier m\u00e9todo p\u00fablico en una instancia de modelo dada, en la clase de la instancia o en instancias o clases asociadas, incluyendo operaciones destructivas. Esto est\u00e1 parcheado en Graphiti v1.10.2. Los usuarios deben actualizar lo antes posible. Algunas soluciones alternativas est\u00e1n disponibles. Aseg\u00farese de que los puntos finales de escritura de Graphiti (crear/actualizar) no sean accesibles para usuarios no confiables y/o aplique fuertes controles de autenticaci\u00f3n y autorizaci\u00f3n antes de que se procese cualquier operaci\u00f3n de escritura, por ejemplo, use los par\u00e1metros fuertes de Rails para asegurar que solo se procesen par\u00e1metros v\u00e1lidos."}], "lastModified": "2026-03-25T17:18:23.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "2C0B7C94-5FBF-428C-B558-7A56DA34C7D2", "versionEndExcluding": "1.10.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}