CVE-2026-32247: Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection ...

Description

Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

0.34%

26.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-943

Affected Software

Vendor	Product	Versions
Getzep	Graphiti	< 0.28.2

References

https://github.com/getzep/graphiti/commit/7d65d5e77e89a199a62d737634eaa26dbb04d037Patch
https://github.com/getzep/graphiti/pull/1312Issue Tracking, Patch
https://github.com/getzep/graphiti/releases/tag/v0.28.2Release Notes
https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5gMitigation, Vendor Advisory

Timeline

Published: Mar 12, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-32247?

Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path. Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels. This issue was mitigated in 0.28.2.

How severe is CVE-2026-32247?

CVE-2026-32247 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 0.34% probability of exploitation in the next 30 days.

How do I fix CVE-2026-32247?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.