Cyber Resilience

CVE-2026-28410

Medium

Published: 05 March 2026

Published
05 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-28410 is a medium-severity Improper Access Control (CWE-284) vulnerability in Thegraph Graph Protocol Contracts. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28410 is a vulnerability in the token vesting contracts of The Graph, an indexing protocol used for querying blockchain networks such as Ethereum, IPFS, Polygon, and others. In versions prior to 3.0.0, the contracts contain a flaw that permits users to access tokens that are intended to remain locked according to their vesting schedule. This issue is classified under CWE-284 (Improper Access Control) and CWE-682 (Incorrect Calculation), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to significant impacts on confidentiality and integrity.

The vulnerability can be exploited over the network by authenticated users with low privileges, requiring no user interaction or special complexity. Successful exploitation allows attackers to prematurely withdraw or access vested tokens that should be restricted, potentially leading to unauthorized token transfers or drainage of locked funds from vesting schedules.

The issue has been addressed in version 3.0.0 of the contracts. Official mitigation guidance is provided in the Graph Protocol's security advisory (GHSA-qx35-rc5x-x39r) and the patching commit (91224ed83eeff3fc3afea01f5ed269373d9bf773) on GitHub, recommending an upgrade to the fixed version.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their…

more

vesting schedule. This issue has been patched in version 3.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1657 Financial Theft Impact
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims.
Why these techniques?

Public-facing smart contract flaw on blockchain networks is directly exploitable over the network (T1190); successful abuse enables premature/unauthorized withdrawal and drainage of locked tokens (T1657).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-44498Shared CWE-682
CVE-2026-34287Shared CWE-284
CVE-2026-1229Shared CWE-682
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284

Affected Assets

thegraph
graph protocol contracts
≤ 3.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws in token vesting contracts, directly enabling the patch to version 3.0.0 that fixes unauthorized token access.

prevent

Enforces approved authorizations in smart contracts to prevent low-privilege users from accessing locked tokens outside the vesting schedule, addressing CWE-284 improper access control.

detect

Employs vulnerability scanning to identify access control and calculation flaws like those in the vesting contracts prior to deployment or exploitation.

References