Unrated severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026

The Graph: Revocable vesting contracts allows early access to locked tokens

CVE-2026-28410

Description

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

Affected products

The Graph/The Graphllm-create
Range: <3.0.0
graphprotocol/contractsv5
Range: < 3.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773mitrex_refsource_MISC
github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39rmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000