Graphiti patches arbitrary method execution in JSON:API write endpoints

TL;DR — A critical Graphiti JSON:API write-path bug lets remote attackers invoke arbitrary public model methods by supplying attacker-controlled relationship names in write payloads.

What happened

Graphiti is a Ruby framework that sits on top of application models and exposes them via a JSON:API-compliant interface.

CVE-2026-33286 describes an arbitrary method execution issue in Graphiti’s JSON:API write functionality (create/update/delete). Per the advisory, Graphiti’s Graphiti::Util::ValidationResponse#all_valid? recursively calls model.send(name) using relationship names taken directly from a user-supplied JSON:API payload, without validating them against the resource’s configured sideloads. This can allow an attacker to invoke any public method on the underlying model instance, its class, or its associations, including destructive operations.

The advisory scores this as CVSS v3.1 9.1 (Critical) with network reachability and no required privileges, which is consistent with “internet-reachable write endpoints” being a high-risk trust boundary. This is also a recurring failure mode in API layers that do dynamic dispatch (send, reflection) over user-controlled strings.

Who is impacted

• Applications using the graphiti gem in versions < 1.10.2.
• Any deployment that exposes Graphiti write endpoints (create/update/delete) to untrusted users.

What to do now

• Follow upstream remediation guidance and update to a patched release:

  "This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible."

• If you can’t upgrade right away, apply the advisory’s mitigations to reduce exposure:

  "Restrict write access: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users." "Authentication & authorisation: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed."

• Inventory services exposing Graphiti write routes and validate they are not reachable from untrusted networks (including partner/VPN networks that effectively behave as untrusted).
• Treat this as an integrity risk: review recent write activity for unexpected relationship names or anomalous update/delete patterns, and confirm that downstream model methods reachable via public APIs can’t perform dangerous side effects without explicit authorization.