GHSA-3m5v-4xp5-gjg2

Suggest an improvement
Source
https://github.com/advisories/GHSA-3m5v-4xp5-gjg2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3m5v-4xp5-gjg2/GHSA-3m5v-4xp5-gjg2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3m5v-4xp5-gjg2
Aliases
Published
2026-03-20T15:58:14Z
Modified
2026-03-25T21:48:48.262229Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Details

Summary

An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations.

Impact

Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected.

The Graphiti::Util::ValidationResponse#all_valid? method recursively calls model.send(name) using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations.

Patches

This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible.

Workarounds

If upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations:

  • Restrict write access: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users.
  • Authentication & authorisation: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.
Database specific 
{
    "nvd_published_at": "2026-03-24T00:16:30Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-913"
    ],
    "github_reviewed_at": "2026-03-20T15:58:14Z"
}
References

Affected packages

RubyGems / graphiti

Package

Name
graphiti
Purl
pkg:gem/graphiti

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.2

Affected versions

1.*
1.0.alpha.1
1.0.alpha.4
1.0.alpha.5
1.0.alpha.6
1.0.alpha.7
1.0.alpha.8
1.0.alpha.9
1.0.alpha.10
1.0.alpha.11
1.0.alpha.12
1.0.alpha.14
1.0.alpha.15
1.0.alpha.16
1.0.alpha.17
1.0.alpha.18
1.0.alpha.19
1.0.alpha.20
1.0.alpha.21
1.0.alpha.22
1.0.alpha.23
1.0.alpha.24
1.0.alpha.25
1.0.alpha.26
1.0.beta.2
1.0.beta.3
1.0.beta.4
1.0.beta.5
1.0.beta.6
1.0.beta.7
1.0.beta.8
1.0.beta.9
1.0.beta.10
1.0.beta.11
1.0.beta.12
1.0.beta.13
1.0.beta.14
1.0.beta.15
1.0.beta.16
1.0.beta.17
1.0.beta.18
1.0.beta.19
1.0.beta.20
1.0.beta.21
1.0.beta.22
1.0.beta.23
1.0.rc.1
1.0.rc.2
1.0.rc.3
1.0.rc.4
1.0.rc.5
1.0.rc.6
1.0.rc.7
1.0.rc.8
1.0.rc.9
1.0.rc.10
1.0.rc.11
1.0.rc.12
1.0.rc.14
1.0.rc.15
1.0.rc.16
1.0.rc.17
1.0.rc.18
1.0.rc.19
1.0.rc.21
1.0.rc.22
1.0.rc.23
1.0.rc.24
1.0.rc.25
1.0.rc.26
1.0.rc.27
1.0.rc.28
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
1.2.25
1.2.26
1.2.27
1.2.28
1.2.29
1.2.30
1.2.31
1.2.32
1.2.33
1.2.34
1.2.35
1.2.36
1.2.37
1.2.38
1.2.39
1.2.40
1.2.41
1.2.42
1.2.43
1.2.44
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.5.0
1.5.1
1.5.2
1.5.3
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.8.0
1.8.1
1.8.2
1.9.0
1.10.0
1.10.1

Database specific

last_known_affected_version_range 
"<= 1.10.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3m5v-4xp5-gjg2/GHSA-3m5v-4xp5-gjg2.json"