Summary
Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation.
In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path.
Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels.
This issue was mitigated in 0.28.2.
Affected Versions
0.28.1and earlier
Fixed Version
0.28.2
Affected Components
- Graphiti Core search filter construction
- Graphiti MCP Server
search_nodeswhen used by an LLM client processing untrusted prompts
Technical Details
Before 0.28.2, Graphiti joined SearchFilters.node_labels with | and inserted the result directly into Cypher label expressions in the shared search-filter constructors used by non-Kuzu providers.
The vulnerable logic was effectively:
node_labels = '|'.join(filters.node_labels)node_label_filter = 'n:' + node_labels
The same pattern was also used in edge-search filter construction.
In MCP deployments, search_nodes accepted an entity_types argument and passed it directly to SearchFilters(node_labels=entity_types). An attacker who could influence prompts processed by an LLM client with Graphiti MCP access could use prompt injection to steer the model into invoking search_nodes with crafted entity_types values containing Cypher syntax. Those values would then be interpolated into Cypher before 0.28.2.
Additional Note on group_ids
Separately, the original report also identified a narrower issue in fulltext search query construction for unvalidated group_ids. That issue was distinct from the Cypher label-injection path described above and was also mitigated in 0.28.2.
Mitigation
Upgrade to 0.28.2 or later.
Version 0.28.2 added:
- validation of
SearchFilters.node_labels - defense-in-depth label validation in shared search-filter constructors
- validation of entity node labels in persistence query builders
- validation of
group_idsin shared search fulltext helpers
Workarounds
If you cannot upgrade immediately:
- do not expose Graphiti MCP tools to untrusted users or to LLM workflows that process untrusted prompt content
- avoid passing untrusted values into
SearchFilters.node_labelsor MCPentity_types - restrict graph database credentials to the minimum privileges required
Credits
@4n93L for their original report.
Impact
Successful exploitation could allow arbitrary Cypher execution within the privileges of the configured graph database connection, including:
- reading graph data outside the intended search scope
- modifying graph data
- deleting graph data
- bypassing logical group isolation enforced at the query layer
CVE-2026-32247 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.28.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-32247? CVE-2026-32247 is a high-severity security vulnerability in graphiti-core (pip), affecting versions <= 0.28.1. It is fixed in 0.28.2.
- How severe is CVE-2026-32247? CVE-2026-32247 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of graphiti-core are affected by CVE-2026-32247? graphiti-core (pip) versions <= 0.28.1 is affected.
- Is there a fix for CVE-2026-32247? Yes. CVE-2026-32247 is fixed in 0.28.2. Upgrade to this version or later.
- Is CVE-2026-32247 exploitable, and should I be worried? Whether CVE-2026-32247 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-32247 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-32247? Upgrade
graphiti-coreto 0.28.2 or later.