CVE-2026-33286

Name of the Vulnerable Software and Affected Versions Graphiti versions prior to 1.10.2

Description Graphiti is a framework that exposes models through a JSON:API-compliant interface. Versions prior to 1.10.2 contain a flaw where an attacker can construct a malicious JSONAPI payload with arbitrary relationship names. This allows invocation of any public method on the underlying model instance, class, or its associations. The Graphiti::Util::ValidationResponse#all valid? method calls model.send(name) with relationship names directly from user-supplied JSONAPI payloads without validation against configured sideloads. This can lead to the execution of any public method on a model instance, its class, or associated instances, potentially including destructive operations. Applications exposing Graphiti write endpoints (create/update/delete) to untrusted users are susceptible.

Recommendations Upgrade to Graphiti version 1.10.2 or later. Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users. Apply strong authentication and authorization checks before any write operation is processed. Use Rails strong parameters to ensure only valid parameters are processed.