CVE-2026-32247 (GCVE-0-2026-32247)
Vulnerability from cvelistv5
Published
2026-03-12 19:11
Modified
2026-03-13 16:17
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Summary
Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.
References
Impacted products
Vendor Product Version
getzep graphiti Version: < 0.28.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32247",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-13T16:17:48.028799Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-13T16:17:58.625Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "graphiti",
          "vendor": "getzep",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.28.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T19:11:29.857Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g"
        },
        {
          "name": "https://github.com/getzep/graphiti/pull/1312",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getzep/graphiti/pull/1312"
        },
        {
          "name": "https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037"
        },
        {
          "name": "https://github.com/getzep/graphiti/releases/tag/v0.28.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getzep/graphiti/releases/tag/v0.28.2"
        }
      ],
      "source": {
        "advisory": "GHSA-gg5m-55jj-8m5g",
        "discovery": "UNKNOWN"
      },
      "title": "Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32247",
    "datePublished": "2026-03-12T19:11:29.857Z",
    "dateReserved": "2026-03-11T14:47:05.685Z",
    "dateUpdated": "2026-03-13T16:17:58.625Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32247\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T16:17:48.028799Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T16:17:54.664Z\"}}], \"cna\": {\"title\": \"Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters\", \"source\": {\"advisory\": \"GHSA-gg5m-55jj-8m5g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getzep\", \"product\": \"graphiti\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.28.2\"}]}], \"references\": [{\"url\": \"https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g\", \"name\": \"https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getzep/graphiti/pull/1312\", \"name\": \"https://github.com/getzep/graphiti/pull/1312\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037\", \"name\": \"https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getzep/graphiti/releases/tag/v0.28.2\", \"name\": \"https://github.com/getzep/graphiti/releases/tag/v0.28.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-943\", \"description\": \"CWE-943: Improper Neutralization of Special Elements in Data Query Logic\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T19:11:29.857Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32247\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T16:17:58.625Z\", \"dateReserved\": \"2026-03-11T14:47:05.685Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T19:11:29.857Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.