<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Graphiti - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/graphiti/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/graphiti/feed.xml" rel="self" type="application/rss+xml"/><item><title>Graphiti JSONAPI Arbitrary Method Execution Vulnerability (CVE-2026-33286)</title><link>https://feed.craftedsignal.io/briefs/2024-01-graphiti-method-execution/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-graphiti-method-execution/</guid><description>Graphiti versions prior to 1.10.2 are vulnerable to arbitrary method execution via maliciously crafted JSONAPI payloads, allowing attackers to invoke public methods on model instances, classes, or associations.</description><content:encoded><![CDATA[<p>Graphiti, a framework for exposing models via a JSON:API-compliant interface, contains an arbitrary method execution vulnerability (CVE-2026-33286) in versions prior to 1.10.2. This flaw resides within Graphiti's JSONAPI write functionality, specifically affecting how relationship names are handled. By crafting a malicious JSONAPI payload with arbitrary relationship names, an attacker can invoke any public method on the underlying model instance, its class, or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is susceptible to this attack. The vulnerability stems from the <code>Graphiti::Util::ValidationResponse#all_valid?</code> method's recursive calls to <code>model.send(name)</code> without proper validation of user-supplied relationship names. This allows attackers to potentially execute arbitrary public methods, including destructive operations. Upgrade to Graphiti v1.10.2 to patch the vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a Graphiti endpoint (create/update/delete) accessible to untrusted users.</li>
<li>The attacker crafts a malicious JSONAPI payload containing arbitrary relationship names.</li>
<li>The malicious payload is submitted to the Graphiti endpoint.</li>
<li><code>Graphiti::Util::ValidationResponse#all_valid?</code> processes the payload and recursively calls <code>model.send(name)</code> using the attacker-controlled relationship names.</li>
<li>The attacker leverages the ability to call arbitrary public methods on the model instance, class, or associated instances/classes.</li>
<li>The attacker executes a destructive or malicious method, such as deleting data, modifying configurations, or executing arbitrary code.</li>
<li>The application state is altered based on the executed method, potentially leading to data loss, privilege escalation, or complete system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-33286) can lead to arbitrary method execution on the server, potentially resulting in complete system compromise. Attackers could delete data, modify configurations, escalate privileges, or even execute arbitrary code on the affected system. The vulnerability affects any application exposing Graphiti write endpoints to untrusted users. The severity is high due to the potential for remote code execution and data corruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Graphiti v1.10.2 to patch the vulnerability (CVE-2026-33286).</li>
<li>Implement strong authentication and authorization checks before processing any write operation on Graphiti endpoints.</li>
<li>Apply strong parameter filtering (e.g., Rails strong parameters) to ensure only valid parameters are processed, mitigating the risk of arbitrary method calls.</li>
<li>Monitor web server logs for suspicious POST requests containing unusual or unexpected relationship names in JSONAPI payloads. Deploy the Sigma rules provided to detect this activity.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>graphiti</category><category>jsonapi</category><category>method-execution</category><category>vulnerability</category></item></channel></rss>