Graphiti is a framework designed to build and query temporal context graphs for AI agents, supporting multiple graph database backends including Neo4j, FalkorDB, Neptune, and Kuzu. Versions of Graphiti prior to 0.28.2 contain a Cypher injection vulnerability (CVE-2026-32247) due to improper neutralization of special elements in data query logic (CWE-943). Specifically, attacker-controlled label values supplied through the SearchFilters.node_labels parameter are concatenated directly into Cypher label expressions without proper validation or sanitization. This unsafe string interpolation allows an attacker to inject malicious Cypher code, potentially manipulating queries to access or alter sensitive data. The vulnerability affects non-Kuzu backends because Kuzu uses parameterized label handling, which prevents injection. In deployments using the MCP server, exploitation can occur not only through direct untrusted access to the Graphiti MCP server but also via prompt injection attacks against large language model (LLM) clients. These LLM clients can be tricked into calling the vulnerable search_nodes function with attacker-controlled entity_types values, which the MCP server maps to SearchFilters.node_labels, thus reaching the vulnerable Cypher construction path. The vulnerability impacts confidentiality and integrity of data by allowing unauthorized data access or manipulation but does not affect availability. The CVSS v3.1 base score is 8.1, reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and high impact on confidentiality and integrity. No known exploits in the wild have been reported as of the publication date. The issue was mitigated in Graphiti version 0.28.2 by implementing proper input validation or parameterization to prevent injection.

This vulnerability poses a significant risk to organizations using Graphiti versions prior to 0.28.2 with affected backends such as Neo4j, FalkorDB, and Neptune. Successful exploitation can lead to unauthorized disclosure and modification of sensitive graph data, undermining confidentiality and integrity. Attackers could craft malicious Cypher queries to extract sensitive information, alter graph relationships, or corrupt data, potentially impacting AI agent decision-making processes that rely on accurate graph data. Since exploitation can occur remotely over the network and does not require user interaction, the attack surface is broad, especially in environments where the MCP server or LLM clients are exposed to untrusted users or inputs. The ability to exploit via prompt injection against LLM clients also introduces a novel attack vector that could bypass traditional access controls. While availability is not directly impacted, the loss of data integrity and confidentiality could have severe operational and reputational consequences. Organizations relying on temporal context graphs for AI or analytics could face data breaches, intellectual property theft, or manipulation of AI outputs, affecting business continuity and trust.

Organizations should immediately upgrade Graphiti to version 0.28.2 or later, where the vulnerability has been fixed by proper parameterization and input validation. Until patching is possible, administrators should restrict network access to the MCP server and LLM clients to trusted users only, minimizing exposure to untrusted inputs. Implement strict input validation and sanitization on all user-supplied data that influence Cypher queries, especially SearchFilters.node_labels and entity_types parameters. For deployments integrating LLM clients, carefully monitor and control prompt inputs to prevent injection attempts that could trigger vulnerable search_nodes calls. Employ runtime monitoring and anomaly detection on Cypher query patterns to identify suspicious or unexpected query constructions indicative of injection attempts. Review and harden access controls on graph databases (Neo4j, FalkorDB, Neptune) to limit privileges of accounts used by Graphiti, reducing the impact of potential exploitation. Additionally, consider using graph backends like Kuzu that inherently mitigate label injection risks through parameterized queries. Conduct security testing and code reviews focusing on injection vulnerabilities in query construction logic as part of the development lifecycle.