CVE-2026-28410
Published: 05 March 2026
Summary
CVE-2026-28410 is a high-severity Improper Access Control (CWE-284) vulnerability in Thegraph Graph Protocol Contracts. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws in token vesting contracts, directly enabling the patch to version 3.0.0 that fixes unauthorized token access.
Enforces approved authorizations in smart contracts to prevent low-privilege users from accessing locked tokens outside the vesting schedule, addressing CWE-284 improper access control.
Employs vulnerability scanning to identify access control and calculation flaws like those in the vesting contracts prior to deployment or exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing smart contract flaw on blockchain networks is directly exploitable over the network (T1190); successful abuse enables premature/unauthorized withdrawal and drainage of locked tokens (T1657).
NVD Description
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their…
more
vesting schedule. This issue has been patched in version 3.0.0.
Deeper analysisAI
CVE-2026-28410 is a vulnerability in the token vesting contracts of The Graph, an indexing protocol used for querying blockchain networks such as Ethereum, IPFS, Polygon, and others. In versions prior to 3.0.0, the contracts contain a flaw that permits users to access tokens that are intended to remain locked according to their vesting schedule. This issue is classified under CWE-284 (Improper Access Control) and CWE-682 (Incorrect Calculation), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to significant impacts on confidentiality and integrity.
The vulnerability can be exploited over the network by authenticated users with low privileges, requiring no user interaction or special complexity. Successful exploitation allows attackers to prematurely withdraw or access vested tokens that should be restricted, potentially leading to unauthorized token transfers or drainage of locked funds from vesting schedules.
The issue has been addressed in version 3.0.0 of the contracts. Official mitigation guidance is provided in the Graph Protocol's security advisory (GHSA-qx35-rc5x-x39r) and the patching commit (91224ed83eeff3fc3afea01f5ed269373d9bf773) on GitHub, recommending an upgrade to the fixed version.
Details
- CWE(s)