{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/method-execution/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Graphiti"],"_cs_severities":["critical"],"_cs_tags":["graphiti","jsonapi","method-execution","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Graphiti"],"content_html":"\u003cp\u003eGraphiti, a framework for exposing models via a JSON:API-compliant interface, contains an arbitrary method execution vulnerability (CVE-2026-33286) in versions prior to 1.10.2. This flaw resides within Graphiti's JSONAPI write functionality, specifically affecting how relationship names are handled. By crafting a malicious JSONAPI payload with arbitrary relationship names, an attacker can invoke any public method on the underlying model instance, its class, or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is susceptible to this attack. The vulnerability stems from the \u003ccode\u003eGraphiti::Util::ValidationResponse#all_valid?\u003c/code\u003e method's recursive calls to \u003ccode\u003emodel.send(name)\u003c/code\u003e without proper validation of user-supplied relationship names. This allows attackers to potentially execute arbitrary public methods, including destructive operations. Upgrade to Graphiti v1.10.2 to patch the vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Graphiti endpoint (create/update/delete) accessible to untrusted users.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSONAPI payload containing arbitrary relationship names.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is submitted to the Graphiti endpoint.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGraphiti::Util::ValidationResponse#all_valid?\u003c/code\u003e processes the payload and recursively calls \u003ccode\u003emodel.send(name)\u003c/code\u003e using the attacker-controlled relationship names.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to call arbitrary public methods on the model instance, class, or associated instances/classes.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a destructive or malicious method, such as deleting data, modifying configurations, or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe application state is altered based on the executed method, potentially leading to data loss, privilege escalation, or complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-33286) can lead to arbitrary method execution on the server, potentially resulting in complete system compromise. Attackers could delete data, modify configurations, escalate privileges, or even execute arbitrary code on the affected system. The vulnerability affects any application exposing Graphiti write endpoints to untrusted users. The severity is high due to the potential for remote code execution and data corruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Graphiti v1.10.2 to patch the vulnerability (CVE-2026-33286).\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization checks before processing any write operation on Graphiti endpoints.\u003c/li\u003e\n\u003cli\u003eApply strong parameter filtering (e.g., Rails strong parameters) to ensure only valid parameters are processed, mitigating the risk of arbitrary method calls.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing unusual or unexpected relationship names in JSONAPI payloads. Deploy the Sigma rules provided to detect this activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-graphiti-method-execution/","summary":"Graphiti versions prior to 1.10.2 are vulnerable to arbitrary method execution via maliciously crafted JSONAPI payloads, allowing attackers to invoke public methods on model instances, classes, or associations.","title":"Graphiti JSONAPI Arbitrary Method Execution Vulnerability (CVE-2026-33286)","url":"https://feed.craftedsignal.io/briefs/2024-01-graphiti-method-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Method-Execution","version":"https://jsonfeed.org/version/1.1"}