Graphiti is a Ruby framework that exposes models via a JSON:API-compliant interface. Versions before 1.10.2 contain a critical vulnerability (CVE-2026-33286) classified under CWE-913 (Improper Control of Dynamically-Managed Code Resources). The flaw arises in the `Graphiti::Util::ValidationResponse#all_valid?` method, which recursively calls `model.send(name)` using relationship names extracted directly from user-supplied JSONAPI payloads without validating these names against the resource's configured sideloads. This lack of validation enables an attacker to craft malicious JSONAPI write requests (create, update, delete) containing arbitrary relationship names that cause the framework to invoke any public method on the model instance, its class, or associated models. Because the method invocation is unrestricted, attackers can execute destructive operations or manipulate data integrity. The vulnerability requires no authentication or user interaction and can be exploited remotely if write endpoints are exposed to untrusted users. The issue was addressed in Graphiti version 1.10.2 by adding proper validation and restricting method invocation. Until upgrading, mitigations include restricting access to write endpoints, enforcing strong authentication and authorization, and using Rails strong parameters to whitelist valid inputs.

The vulnerability allows attackers to execute arbitrary public methods on application models without authentication, leading to severe integrity and availability impacts. Attackers can perform unauthorized data modifications, deletions, or other destructive actions, potentially compromising application logic and data consistency. Since the flaw affects the core write functionality of Graphiti, any web application exposing these endpoints to untrusted users is at risk. This can result in data corruption, loss, or denial of service. The critical CVSS score of 9.1 reflects the high impact and ease of exploitation. Organizations relying on Graphiti for API endpoints may face significant operational disruption, reputational damage, and compliance violations if exploited.

1. Upgrade Graphiti to version 1.10.2 or later immediately to apply the official patch that fixes the validation flaw. 2. Restrict access to Graphiti write endpoints (create, update, delete) so they are not exposed to untrusted or unauthenticated users. 3. Implement strong authentication and authorization controls on all write operations to ensure only authorized users can perform modifications. 4. Use Rails strong parameters or equivalent mechanisms to whitelist and validate all incoming JSONAPI payload parameters, preventing arbitrary method names from being processed. 5. Conduct thorough code reviews and testing to verify that no other dynamic method invocations are exposed to user input without validation. 6. Monitor application logs for unusual or unexpected method calls or payloads targeting Graphiti endpoints. 7. Consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious JSONAPI payloads attempting to exploit this vulnerability.