Skip to content

Commit b24e1ff

Browse files
jasnowjasnow
authored
GHSA/SYNC: 1 new advisory (#1017)
1 parent 2a45afd commit b24e1ff

File tree

1 file changed

+53
-0
lines changed

1 file changed

+53
-0
lines changed

gems/graphiti/CVE-2026-33286.yml

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
gem: graphiti
3+
cve: 2026-33286
4+
ghsa: 3m5v-4xp5-gjg2
5+
url: https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
6+
title: Graphiti Affected by Arbitrary Method Execution via
7+
Unvalidated Relationship Names
8+
date: 2026-03-20
9+
description: |
10+
### Summary
11+
12+
An arbitrary method execution vulnerability has been found which
13+
affects Graphiti's JSONAPI write functionality. An attacker can
14+
craft a malicious JSONAPI payload with arbitrary relationship
15+
names to invoke any public method on the underlying model
16+
instance, class or its associations.
17+
18+
### Impact
19+
20+
Any application exposing Graphiti write endpoints (create/update/delete)
21+
to untrusted users is affected.
22+
23+
The `Graphiti::Util::ValidationResponse#all_valid?` method recursively
24+
calls `model.send(name)` using relationship names taken directly from
25+
user-supplied JSONAPI payloads, without validating them against the
26+
resource's configured sideloads. This allows an attacker to potentially
27+
run any public method on a given model instance, on the instance class
28+
or associated instances or classes, including destructive operations.
29+
30+
### Patches
31+
32+
This is patched in Graphiti **v1.10.2**.
33+
Users should upgrade as soon as possible.
34+
35+
### Workarounds
36+
37+
If upgrading to v1.10.2 is not immediately possible, consider one
38+
or more of the following mitigations:
39+
40+
- **Restrict write access**: Ensure Graphiti write endpoints
41+
(create/update/delete) are not accessible to untrusted users.
42+
- **Authentication & authorisation**: Apply strong authentication
43+
and authorisation checks before any write operation is processed,
44+
for example use Rails strong parameters to ensure only valid
45+
parameters are processed."
46+
cvss_v3: 9.1
47+
patched_versions:
48+
- ">= 1.10.2"
49+
related:
50+
url:
51+
- https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
52+
- https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/graphiti/CVE-2026-33286.yml
53+
- https://github.com/advisories/GHSA-3m5v-4xp5-gjg2

0 commit comments

Comments
 (0)