Graphiti is a framework designed for building and querying temporal context graphs to support AI agents. Versions of Graphiti before 0.28.2 contain a Cypher injection vulnerability (CVE-2026-32247) classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic). The vulnerability exists in the way Graphiti constructs Cypher queries for non-Kuzu backends (Neo4j, FalkorDB, and Neptune). Specifically, attacker-controlled label values supplied via SearchFilters.node_labels are concatenated directly into Cypher label expressions without proper validation or sanitization, enabling injection of malicious Cypher code. In MCP (Managed Context Provider) deployments, exploitation is possible not only through direct access to the Graphiti MCP server but also indirectly via prompt injection attacks against large language model (LLM) clients that invoke the vulnerable search_nodes function with attacker-controlled entity_types. The MCP server maps entity_types to SearchFilters.node_labels, which then reach the vulnerable query construction path. Kuzu backend is not affected due to its use of parameterized label handling instead of string interpolation. The vulnerability allows attackers with at least low privileges (PR:L) to execute unauthorized Cypher queries, potentially exposing or manipulating sensitive graph data, impacting confidentiality and integrity but not availability. The issue was mitigated in Graphiti version 0.28.2 by implementing proper input validation and parameterization to neutralize special elements in Cypher queries.

This vulnerability poses a significant risk to organizations relying on Graphiti with non-Kuzu backends for AI-driven graph data querying. Successful exploitation can lead to unauthorized access to sensitive graph data, data leakage, and potential data manipulation, undermining confidentiality and integrity. Since the vulnerability does not impact availability, denial-of-service is less of a concern. The ease of exploitation is relatively high given that no user interaction is required and the attack surface includes both direct server access and indirect LLM prompt injection vectors. Organizations using vulnerable versions in MCP deployments face compounded risk due to the indirect exploitation path via LLM clients. The scope includes any organization leveraging Graphiti with Neo4j, FalkorDB, or Neptune backends, particularly those integrating AI agents and large language models. This could affect sectors such as technology, finance, healthcare, and government, where graph databases and AI are increasingly prevalent. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future attacks.

Organizations should immediately upgrade Graphiti to version 0.28.2 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, implement strict input validation and sanitization on all user-controllable inputs that influence Cypher query construction, especially SearchFilters.node_labels and entity_types parameters. Employ parameterized queries or prepared statements wherever possible to avoid string interpolation of labels. Restrict access to the Graphiti MCP server to trusted users and networks to reduce direct exploitation risk. Monitor and audit LLM client interactions that invoke search_nodes for anomalous or unexpected entity_types inputs indicative of prompt injection attempts. Implement network segmentation and least privilege principles to limit attacker movement if compromise occurs. Maintain up-to-date threat intelligence and apply security patches promptly. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block Cypher injection patterns targeting Graphiti endpoints.