VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

CVE-2026-33286

Description

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The Graphiti::Util::ValidationResponse#all_valid? method recursively calls model.send(name) using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Graphiti prior to 1.10.2 has an arbitrary method execution vulnerability in write endpoints via unsanitized relationship names in JSONAPI payloads.

Vulnerability

Overview

CVE-2026-33286 is an arbitrary method execution vulnerability in the Graphiti framework (versions before 1.10.2). The root cause lies in the Graphiti::Util::ValidationResponse#all_valid? method, which recursively calls model.send(name) using relationship names taken directly from user-supplied JSONAPI payloads without validating them against the resource's configured sideloads [1]. This allows an attacker to invoke any public method on the underlying model instance, its class, or associated instances and classes.

Exploitation

An attacker can craft a malicious JSONAPI write payload (create, update, or delete) containing arbitrary relationship names. Because the framework does not restrict these names against the resource's defined sideloads, the attacker can trigger calls to arbitrary public methods on the model or its associations [1][4]. No authentication is required if the write endpoints are exposed to untrusted users, making this a critical risk for any application that exposes Graphiti write endpoints to the public.

Impact

Successful exploitation can lead to destructive operations on the model and its associations, including data deletion, modification, or other unintended side effects. The vulnerability allows an attacker to run any public method on the model instance, its class, or on the instance's class or associated instances, potentially compromising data integrity and availability [1][4].

Mitigation

The vulnerability is patched in Graphiti v1.10.2 [3]. Users should upgrade immediately. As a workaround, ensure Graphiti write endpoints are not accessible to untrusted users, apply strong authentication and authorization checks before any write operation, and use Rails strong parameters to validate incoming parameters [1][2].

References
  1. NVD - CVE-2026-33286
  2. GitHub - graphiti-api/graphiti: Stylish Graph APIs
  3. Release v1.10.2 · graphiti-api/graphiti
  4. ruby-advisory-db/gems/graphiti/CVE-2026-33286.yml at master · rubysec/ruby-advisory-db

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
graphitiRubyGems
< 1.10.21.10.2

Affected products

2
  • Graphiti Api/Graphitillm-fuzzy2 versions
    <1.10.2+ 1 more
    • (no CPE)range: <1.10.2
    • (no CPE)range: < 1.10.2

Patches

1
ddb5ad2b6933

fix: Ensure RequestValidator validates resource relationships

https://github.com/graphiti-api/graphitidoublevoidMar 18, 2026via ghsa
commit
2 files changed · +77 0
  • lib/graphiti/request_validators/validator.rb+7 0 modified
    @@ -49,6 +49,13 @@ def deserialized_payload
       private
 
       def process_relationships(resource, relationships, payload_path)
+        relationships.each_key do |name|
+          unless resource.class.sideload(name.to_sym)
+            full_key = fully_qualified_key(name, payload_path, :relationships)
+            @errors.add(full_key, :invalid_relationship, message: "is not a valid relationship")
+          end
+        end
+
         opts = {
           resource: resource,
           relationships: relationships
  • spec/request_validator_spec.rb+70 0 modified
    @@ -317,6 +317,76 @@ def self.name
           end
         end
       end
+
+      context "when the payload contains unknown relationships" do
+        let(:payload) do
+          {
+            data: {
+              type: "employees",
+              attributes: {first_name: "Jane"},
+              relationships: {
+                pets: {
+                  data: {type: "pets", id: "1", method: "update"}
+                }
+              }
+            },
+            included: [
+              {
+                type: "pets",
+                id: "1",
+                attributes: {name: "mel"}
+              }
+            ]
+          }
+        end
+
+        it "has an unknown relationship error" do
+          expect(validate).to eq false
+          expect(instance.errors).to be_added(:'data.relationships.pets', :invalid_relationship)
+        end
+
+        it "raises InvalidRequest when using validate!" do
+          expect {
+            instance.validate!
+          }.to raise_error(Graphiti::Errors::InvalidRequest)
+        end
+      end
+
+      context "when the payload contains a valid relationship" do
+        before do
+          root_resource_class.has_many :positions, resource: nested_resource_class
+        end
+
+        let(:payload) do
+          {
+            data: {
+              type: "employees",
+              attributes: {first_name: "Jane"},
+              relationships: {
+                positions: {
+                  data: [{
+                    'temp-id': "abc123",
+                    type: "positions",
+                    method: "create"
+                  }]
+                }
+              }
+            },
+            included: [
+              {
+                'temp-id': "abc123",
+                type: "positions",
+                attributes: {title: "foo"}
+              }
+            ]
+          }
+        end
+
+        it "validates correctly" do
+          expect(validate).to eq true
+          expect(instance.errors).to be_blank
+        end
+      end
     end
   end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.