CVE-2026-32247 Overview
CVE-2026-32247 is a Cypher injection vulnerability affecting Graphiti, a framework designed for building and querying temporal context graphs for AI agents. The vulnerability exists in shared search-filter construction for non-Kuzu backends where attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without proper validation or sanitization.
This flaw is particularly concerning in MCP (Model Context Protocol) deployments, where exploitation is possible not only through direct untrusted access to the Graphiti MCP server but also through prompt injection attacks against LLM clients. An attacker could induce an LLM client to call search_nodes with malicious entity_types values, which the MCP server would map to SearchFilters.node_labels, ultimately reaching the vulnerable Cypher construction path.
Critical Impact
Attackers can exploit this Cypher injection vulnerability to execute arbitrary database queries, potentially leading to unauthorized data access or data manipulation in Neo4j, FalkorDB, and Neptune graph database backends.
Affected Products
- Graphiti versions prior to 0.28.2
- Neo4j backend deployments
- FalkorDB backend deployments
- Neptune backend deployments
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-32247 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32247
Vulnerability Analysis
This vulnerability stems from improper neutralization of special elements used in query language commands (CWE-943). The Graphiti framework failed to properly validate or sanitize user-supplied input before incorporating it into Cypher queries used to interact with graph databases.
When users provide label values through the SearchFilters.node_labels parameter, these values should be treated as untrusted data and properly parameterized before inclusion in database queries. However, the vulnerable implementation directly concatenated these values into Cypher label expressions using string interpolation, creating a classic injection vulnerability.
The attack surface is expanded in MCP deployments where the vulnerability becomes exploitable through prompt injection. An attacker can craft malicious prompts that cause an LLM client to invoke the search_nodes function with specially crafted entity_types values. The MCP server then maps these malicious values to SearchFilters.node_labels, triggering the vulnerable code path.
Notably, the Kuzu backend was not affected by this vulnerability because it implemented parameterized label handling rather than string-interpolated Cypher labels, demonstrating the effectiveness of proper parameterization as a defensive measure.
Root Cause
The root cause is the use of string concatenation to build Cypher queries instead of parameterized query construction. The SearchFilters.node_labels values were directly interpolated into Cypher label expressions without validation, allowing attackers to break out of the intended label context and inject arbitrary Cypher statements. This pattern is analogous to SQL injection but targets Cypher, the query language used by graph databases like Neo4j.
Attack Vector
The vulnerability can be exploited through two primary attack vectors:
Direct Access Attack: An attacker with access to the Graphiti MCP server can directly supply malicious label values through the SearchFilters.node_labels parameter. By crafting payloads that escape the label context, they can inject arbitrary Cypher commands.
Prompt Injection Attack: In LLM-integrated deployments, an attacker can craft malicious prompts designed to manipulate the LLM into calling search_nodes with attacker-controlled entity_types values. This indirect attack vector is particularly concerning as it leverages the trust relationship between the LLM and the Graphiti service.
The vulnerability allows attackers to read, modify, or delete data within the graph database, depending on the permissions of the database connection and the specific Cypher injection payload used.
Detection Methods for CVE-2026-32247
Indicators of Compromise
- Unusual or malformed Cypher queries in graph database logs containing unexpected label syntax
- Presence of Cypher injection payloads in entity_types or node_labels parameters (e.g., characters like ], :, {, } in label values)
- Unexpected data access patterns or bulk data exfiltration from Neo4j, FalkorDB, or Neptune databases
- LLM conversation logs showing prompt injection attempts designed to manipulate search_nodes calls
Detection Strategies
- Implement application-layer logging to capture all SearchFilters.node_labels values before query construction
- Configure graph database audit logging to detect anomalous query patterns or unauthorized data access
- Monitor MCP server traffic for unusual entity_types parameter values containing special characters
- Deploy content inspection on LLM prompts to identify potential prompt injection attempts targeting Graphiti functions
Monitoring Recommendations
- Enable comprehensive query logging on Neo4j, FalkorDB, and Neptune backends to facilitate forensic analysis
- Set up alerts for failed or malformed Cypher query executions that may indicate injection attempts
- Monitor for unusual data access volumes or patterns that could indicate successful exploitation
- Review LLM interaction logs for anomalies in search_nodes invocations
How to Mitigate CVE-2026-32247
Immediate Actions Required
- Upgrade Graphiti to version 0.28.2 or later immediately
- Audit graph database logs for signs of exploitation prior to patching
- Review access controls on Graphiti MCP server deployments
- Consider implementing input validation at the application layer as defense in depth
Patch Information
The vulnerability has been addressed in Graphiti version 0.28.2. The fix implements proper validation and parameterization of label values before they are incorporated into Cypher queries. Organizations should upgrade to this version or later to remediate the vulnerability.
For detailed information about the fix, refer to the following resources:
- GitHub Security Advisory GHSA-gg5m-55jj-8m5g
- GitHub Pull Request #1312
- GitHub Commit 7d65d5e
- GitHub Release v0.28.2
Workarounds
- If immediate patching is not possible, consider restricting network access to the Graphiti MCP server to trusted clients only
- Implement application-level input validation to reject node_labels or entity_types containing special Cypher characters
- For MCP deployments with LLM integration, implement prompt filtering to prevent prompt injection attacks targeting Graphiti functions
- Consider migrating to the Kuzu backend, which uses parameterized label handling and is not affected by this vulnerability
# Upgrade Graphiti to patched version
pip install --upgrade graphiti>=0.28.2
# Verify installed version
pip show graphiti | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
