CVE-2026-32247

Source
https://cve.org/CVERecord?id=CVE-2026-32247
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32247.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32247
Aliases
Published
2026-03-12T19:11:29.857Z
Modified
2026-07-08T08:00:15.636196827Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters
Details

Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.nodelabels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call searchnodes with attacker-controlled entitytypes values. The MCP server mapped entitytypes to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32247.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-943"
    ]
}
References

Affected packages

Git / github.com/getzep/graphiti

Affected ranges

Type
GIT
Repo
https://github.com/getzep/graphiti
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:getzep:graphiti:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.28.2"
        }
    ]
}

Affected versions

mcp-v1.*
mcp-v1.0.0
mcp-v1.0.1
v0.*
v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.11.6
v0.11.6pre1
v0.11.6pre2
v0.11.6pre3
v0.11.6pre4
v0.11.6pre5
v0.11.6pre6
v0.11.6pre7
v0.11.6pre9
v0.12.0
v0.12.0pre1
v0.12.0pre2
v0.12.0pre3
v0.12.0pre4
v0.12.0pre5
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.13.0
v0.13.1
v0.13.2
v0.14.0
v0.15.0
v0.15.1
v0.16.0
v0.17.0
v0.17.1
v0.17.10
v0.17.11
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.17.6
v0.17.7
v0.17.8
v0.17.9
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.18.8
v0.18.9
v0.19.0
v0.19.0pre1
v0.19.0pre2
v0.19.0pre3
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.20.0
v0.20.1
v0.20.2
v0.20.3
v0.20.4
v0.21.0
v0.21.0pre1
v0.21.0pre10
v0.21.0pre11
v0.21.0pre12
v0.21.0pre13
v0.21.0pre2
v0.21.0pre3
v0.21.0pre4
v0.21.0pre5
v0.21.0pre6
v0.21.0pre7
v0.21.0pre8
v0.21.0pre9
v0.21.1pre1
v0.22.0
v0.22.0pre0
v0.22.0pre1
v0.22.0pre2
v0.22.0pre3
v0.22.0pre4
v0.22.0pre5
v0.22.1pre1
v0.22.1pre2
v0.23.0
v0.23.1
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.25.4
v0.25.5
v0.26.0
v0.26.1
v0.26.2
v0.26.3
v0.27.0
v0.27.0pre1
v0.27.0pre2
v0.27.1
v0.27.2pre1
v0.28.0
v0.28.1
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.17
v0.3.18
v0.3.19
v0.3.2
v0.3.20
v0.3.21
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.30.0pre0
v0.30.0pre1
v0.30.0pre2
v0.30.0pre3
v0.30.0pre4
v0.30.0pre5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0pre1
v0.5.0pre2
v0.5.0pre3
v0.5.0pre4
v0.5.0pre5
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32247.json"