Cyber Posture

CVE-2026-32247

High

Published: 12 March 2026

Published
12 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0004 12.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32247 is a high-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Getzep Graphiti. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of attacker-controlled inputs like SearchFilters.node_labels before concatenation into Cypher label expressions, directly preventing the injection vulnerability.

SI-2 Flaw Remediation good match
prevent

Mandates timely patching of the known Cypher injection flaw by upgrading Graphiti to version 0.28.2 or later.

RA-5 Vulnerability Monitoring and Scanning good match
preventdetect

Vulnerability scanning identifies the Cypher injection in Graphiti for non-Kuzu backends, enabling prioritized remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

Cypher injection in network-exposed Graphiti MCP server (AV:N) directly enables T1190 for initial access via untrusted SearchFilters.node_labels or LLM-induced calls; arbitrary query execution on the graph database also facilitates T1213.006 for collection from the information repository.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into…

more

Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.

Deeper analysisAI

Graphiti, a framework for building and querying temporal context graphs for AI agents, contains a Cypher injection vulnerability (CWE-943) in versions prior to 0.28.2. The issue arises in shared search-filter construction for non-Kuzu backends, where attacker-controlled label values supplied through SearchFilters.node_labels are directly concatenated into Cypher label expressions without validation. Affected backends include Neo4j, FalkorDB, and Neptune; Kuzu is unaffected due to its use of parameterized label handling.

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation is possible through direct untrusted access to the Graphiti MCP server or via prompt injection against an LLM client, inducing it to call search_nodes with attacker-controlled entity_types values. The MCP server maps these to SearchFilters.node_labels, feeding into the vulnerable Cypher path. Successful attacks yield high confidentiality and integrity impacts (C:H/I:H), such as unauthorized data access or modification via injected Cypher queries, with a CVSS v3.1 base score of 8.1.

Mitigation is available in Graphiti version 0.28.2, which addresses the injection by fixing the label handling in search-filter construction. Security practitioners should upgrade to this version immediately. Relevant resources include the security advisory (GHSA-gg5m-55jj-8m5g), the fixing commit (7d65d5e77e89a199a62d737634eaa26dbb04d037), pull request #1312, and the release notes for v0.28.2.

This vulnerability is particularly relevant to AI/ML deployments due to Graphiti's role in AI agent context graphs and the prompt injection vector involving LLMs, though no real-world exploitation has been reported.

Details

CWE(s)
CWE-943

Affected Products

getzep
graphiti
≤ 0.28.2

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, mcp, mcp, prompt injection, llm, mcp

CVEs Like This One

CVE-2026-33980Shared CWE-943
CVE-2026-41327Shared CWE-943
CVE-2026-41328Shared CWE-943
CVE-2026-30941Shared CWE-943
CVE-2026-40351Shared CWE-943
CVE-2026-41274Shared CWE-943
CVE-2026-29793Shared CWE-943
CVE-2026-32248Shared CWE-943
CVE-2026-40352Shared CWE-943
CVE-2025-24787Shared CWE-943

References