Home / Vulnerability Intelligence / CVE-2026-33286

CVE-2026-33286 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 24, 2026

Graphiti - Remote Code Execution

Published: March 24, 2026Updated: March 24, 2026Remote Exploitable

Overview

Graphiti < 1.10.2 contains an arbitrary method execution vulnerability caused by unvalidated relationship names in JSONAPI write payloads, letting attackers invoke any public method on model instances or classes, exploit requires access to write endpoints.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can execute arbitrary public methods on models, potentially causing data destruction or unauthorized actions.

Mitigation

Upgrade to Graphiti version 1.10.2 or later.

References

https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2
https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2
https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33286
Severity: Critical
CVSS Score: 9.1
Type: undefined
Status: new

CWE

CWE-913

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H