CVE-2026-33286
CRITICAL
GHSA-3m5v-4xp5-gjg2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Description
### Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. ### Impact Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. ### Patches This is patched in Graphiti **v1.10.2**. Users should upgrade as soon as possible. ### Workarounds If upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations: - **Restrict write access**: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users. - **Authentication & authorisation**: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.
Analysis
A critical arbitrary method execution vulnerability affects Graphiti's JSONAPI write functionality, allowing attackers to invoke any public method on underlying model instances, classes, or associations through crafted JSONAPI payloads. Applications using Graphiti (a Ruby gem for building JSON:API compliant APIs) that expose write endpoints to untrusted users are affected, particularly versions prior to 1.10.2. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications using Graphiti and their exposure scope; implement WAF rules to block suspicious JSONAPI payloads targeting write endpoints; disable write functionality if not essential. Within 7 days: Evaluate upgrade feasibility to Graphiti 1.10.2 or later; implement network segmentation to restrict API access to trusted networks only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today