CVE-2026-33286

Description

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphitis JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The Graphiti::Util::ValidationResponse#all_valid method recursively calls model.send(name) using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resources configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.

Risk Information

Base Score

9.1

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score

Exploitation Probability

0.052

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2026-33286 are fixed in Ruby-graphiti 1.10.2	Windows
Vulnerabilities CVE-2026-33286 are fixed in Ruby-graphiti for Linux 1.10.2	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234