CVE-2026-33286 Overview
CVE-2026-33286 is an arbitrary method execution vulnerability affecting the Graphiti framework, a Ruby-based JSON:API-compliant interface layer for models. This vulnerability allows attackers to craft malicious JSONAPI payloads with arbitrary relationship names to invoke any public method on underlying model instances, classes, or their associations. Applications exposing Graphiti write endpoints (create/update/delete) to untrusted users are at significant risk of exploitation.
Critical Impact
Attackers can execute arbitrary public methods on model instances and classes, potentially enabling destructive operations, data manipulation, or complete application compromise through malicious JSONAPI payloads.
Affected Products
- Graphiti versions prior to 1.10.2
- Ruby applications using Graphiti for JSON:API endpoints
- Any application exposing Graphiti write endpoints to untrusted users
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33286 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33286
Vulnerability Analysis
The vulnerability resides in Graphiti's JSONAPI write functionality, specifically within the Graphiti::Util::ValidationResponse#all_valid? method. This method recursively processes relationship names from user-supplied JSONAPI payloads without proper validation against the resource's configured sideloads.
When processing relationships, the method directly passes user-controlled relationship names to Ruby's model.send(name) function. Since the input is not validated against the legitimate sideloads defined in the Graphiti resource configuration, an attacker can specify arbitrary method names in the relationships portion of a JSONAPI payload. This effectively grants the attacker the ability to invoke any public method available on the model instance, its class, or associated objects.
The attack surface includes all write operations—create, update, and delete endpoints—making this vulnerability particularly dangerous for applications that allow untrusted user input through these endpoints.
Root Cause
The root cause is improper input validation (CWE-913: Improper Control of Dynamically-Managed Code Resources). The Graphiti::Util::ValidationResponse#all_valid? method fails to validate that relationship names provided in JSONAPI payloads correspond to actually configured sideloads on the resource. Instead, it blindly trusts user input and passes these names directly to model.send(), which invokes the method with the given name on the model object.
Attack Vector
The attack is network-based and requires no authentication or user interaction in vulnerable configurations. An attacker can exploit this vulnerability by:
- Identifying an application with exposed Graphiti write endpoints
- Crafting a malicious JSONAPI payload containing arbitrary method names in the relationships section
- Sending the payload to a create or update endpoint
- The vulnerable code processes the relationship names and executes the specified methods on the model
The following patch demonstrates the fix implemented in version 1.10.2:
private
def process_relationships(resource, relationships, payload_path)
+ relationships.each_key do |name|
+ unless resource.class.sideload(name.to_sym)
+ full_key = fully_qualified_key(name, payload_path, :relationships)
+ @errors.add(full_key, :invalid_relationship, message: "is not a valid relationship")
+ end
+ end
+
opts = {
resource: resource,
relationships: relationships
Source: GitHub Commit ddb5ad2b
The fix validates each relationship name against the resource's configured sideloads before processing, rejecting any names that are not legitimate relationships.
Detection Methods for CVE-2026-33286
Indicators of Compromise
- Unusual JSONAPI payloads containing unexpected or suspicious relationship names in write requests
- Error logs showing attempts to call non-existent or unusual methods on model objects
- Unexpected data modifications or deletions that cannot be attributed to normal application usage
- Web application firewall or API gateway logs showing malformed JSONAPI relationship structures
Detection Strategies
- Implement application-level logging to capture all relationship names processed in JSONAPI write operations
- Monitor for JSONAPI payloads containing relationship names that do not match defined resource sideloads
- Deploy web application firewalls with rules to detect anomalous JSONAPI payload structures
- Review application logs for Ruby NoMethodError exceptions that may indicate probing attempts
Monitoring Recommendations
- Enable verbose logging on Graphiti write endpoints to capture incoming payload structures
- Set up alerts for requests containing unusual relationship names or high volumes of failed relationship validations
- Monitor for patterns of requests testing various method names in the relationships field
- Implement rate limiting on write endpoints to slow down enumeration attempts
How to Mitigate CVE-2026-33286
Immediate Actions Required
- Upgrade Graphiti to version 1.10.2 or later immediately
- Audit all applications using Graphiti to identify exposed write endpoints
- Implement authentication and authorization checks on all Graphiti write endpoints
- Consider temporarily disabling write endpoints if immediate patching is not possible
Patch Information
The vulnerability has been fixed in Graphiti version 1.10.2. The patch adds validation to ensure that relationship names in JSONAPI payloads are checked against the resource's configured sideloads before being processed. Users should upgrade to this version or later as soon as possible.
For detailed information about the security fix, see the GitHub Security Advisory GHSA-3m5v-4xp5-gjg2 and the GitHub Release v1.10.2.
Workarounds
- Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users
- Apply strong authentication and authorization checks before any write operation is processed
- Use Rails strong parameters to ensure only valid parameters are processed
- Implement request validation middleware to sanitize JSONAPI payloads before they reach Graphiti
# Update Graphiti to the patched version
bundle update graphiti
# Or specify the minimum version in your Gemfile
# gem 'graphiti', '>= 1.10.2'
# Then run bundle install
bundle install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
