Graphiti Temporal Knowledge Graph Cypher Injection via Unsanitised Search Filters

Executive Summary

Graphiti, a temporal knowledge graph framework for AI agents developed by GetZep, contains a Cypher injection vulnerability (CVE-2026-32247) in its search-filter construction for Neo4j, FalkorDB, and Neptune backends (GHSA-gg5m-55jj-8m5g). Exploitation requires low-privilege authenticated access (PR:L) to the Graphiti API or, in MCP server deployments, can be triggered via indirect prompt injection through an LLM client processing untrusted content (GHSA-gg5m-55jj-8m5g). The CNA-submitted CVSS score is 8.1 HIGH (GHSA-gg5m-55jj-8m5g); NVD has not completed its independent analysis (NVD, vulnStatus: Undergoing Analysis).

Successful exploitation enables arbitrary Cypher query execution, potentially allowing unauthorised reading, modification, and deletion of graph data, as well as bypassing group isolation at the query layer (GHSA-gg5m-55jj-8m5g). No public proof-of-concept or observed exploitation exists at time of writing.

Organisations using graphiti-core should upgrade to version 0.28.2 or later immediately (GHSA-gg5m-55jj-8m5g, confirmed available on PyPI).

Risk Rating

NVD Status: NVD has not completed analysis of CVE-2026-32247 (vulnStatus: Undergoing Analysis) (NVD). The CVSS score of 8.1 is CNA-submitted by GitHub Security Advisories; NVD has not completed its own scoring. Both the NVD record and the GHSA advisory report the same CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD, GHSA-gg5m-55jj-8m5g). No CVSS v4.0 metrics are present (NVD).

EPSS: 0.032% probability of exploitation in the next 30 days, 8.8th percentile (FIRST.org EPSS).

Affected Products

Am I Affected?

1. Check if graphiti-core is installed: pip show graphiti-core
2. Check version: if the installed version is below 0.28.2, you are affected (GHSA-gg5m-55jj-8m5g)
3. Check backend: if you use Neo4j, FalkorDB, or Neptune with Graphiti, you are affected. Kuzu users are not affected (GHSA-gg5m-55jj-8m5g)
4. Check MCP deployment: if Graphiti is deployed as an MCP server with search tools exposed to LLM clients, the indirect prompt injection vector applies (GHSA-gg5m-55jj-8m5g)

Abstract

CVE-2026-32247 is a Cypher injection vulnerability in GetZep's graphiti-core Python package (versions prior to 0.28.2) caused by unsanitised interpolation of user-supplied SearchFilters.node_labels values into Cypher query expressions for non-Kuzu backends (GHSA-gg5m-55jj-8m5g). The advisory also notes a separate, narrower group_ids fulltext-search validation issue that was distinct from the primary label-injection path and was also fixed in 0.28.2 (GHSA-gg5m-55jj-8m5g). The 0.28.2 patch additionally adds validation for entity node labels in persistence paths as defence-in-depth hardening (fix commit 7d65d5e).

In MCP server deployments, the vulnerability is exploitable via indirect prompt injection: an attacker embeds crafted instructions in content processed by an LLM client, which then calls the Graphiti MCP search_nodes tool with malicious entity_types values that map to the vulnerable SearchFilters.node_labels parameter (GHSA-gg5m-55jj-8m5g). Exploitation requires low-privilege authenticated access (PR:L per CVSS vector) (GHSA-gg5m-55jj-8m5g).

Neo4j, FalkorDB, and Neptune backends are affected; Kuzu is unaffected due to its use of parameterised label handling (GHSA-gg5m-55jj-8m5g). The fix in version 0.28.2 implements input validation via an allowlist regex pattern at API entry points, Pydantic model validators, and query builder functions (fix commit 7d65d5e).

Key Findings

1. Primary vulnerability in node label search filters: The published advisory centres on unsanitised SearchFilters.node_labels in shared search-filter construction for non-Kuzu backends (GHSA-gg5m-55jj-8m5g). The 0.28.2 patch also adds validation for group_ids in fulltext search helpers (a separate, narrower issue noted in the advisory) and for entity node labels in persistence paths as defence-in-depth hardening (GHSA-gg5m-55jj-8m5g, fix commit 7d65d5e).

2. MCP-enabled prompt injection vector: In MCP server deployments, the vulnerability can be triggered by indirect prompt injection through LLM-processed content, without requiring direct API access by the attacker (GHSA-gg5m-55jj-8m5g).

3. Group isolation bypass: Successful exploitation can bypass group isolation at the query layer (GHSA-gg5m-55jj-8m5g).

4. Backend-dependent impact: Neo4j, FalkorDB, and Neptune backends are affected. Kuzu's parameterised query architecture prevents exploitation (GHSA-gg5m-55jj-8m5g).

5. Defence-in-depth fix: The patch implements validation at three layers — API entry points, Pydantic model validators, and query builders — using the allowlist pattern ^[a-zA-Z_][a-zA-Z0-9_]*$ (fix commit 7d65d5e).

Attack Flow

Vector A: Direct API Access
============================
Low-privilege        search_nodes()         Cypher query        Graph database
authenticated   -->  with crafted      -->  with injected  -->  executes
user                 entity_types           label syntax        arbitrary Cypher
                     (GHSA-gg5m)            (GHSA-gg5m)         (GHSA-gg5m)

Vector B: Indirect Prompt Injection via MCP (GHSA-gg5m-55jj-8m5g)
===================================================================
Attacker-crafted     LLM processes         MCP search_nodes    Cypher injection
content with    -->  content and      -->  tool called with  --> via unsanitised
prompt injection     invokes MCP tool      crafted             node_labels
                                           entity_types

Both vectors exploit the same underlying vulnerability: unsanitised interpolation of SearchFilters.node_labels into Cypher expressions (GHSA-gg5m-55jj-8m5g). The MCP vector adds an LLM-mediated step where the attacker does not directly control the API call but influences it through prompt injection (GHSA-gg5m-55jj-8m5g).

Technical Details

Vulnerable Code Pattern

Graphiti concatenated SearchFilters.node_labels directly into Cypher expressions using string interpolation (GHSA-gg5m-55jj-8m5g):

# Vulnerable pattern (pre-0.28.2) — from GHSA-gg5m-55jj-8m5g
node_labels = '|'.join(filters.node_labels)
node_label_filter = 'n:' + node_labels

A separate injection surface existed in fulltext search query construction where group_ids were interpolated without validation (GHSA-gg5m-55jj-8m5g, fix commit 7d65d5e):

# Vulnerable pattern (pre-0.28.2) — from fix commit 7d65d5e
group_ids_filter_list = [f'group_id:"{g}"' for g in group_ids]

Node save operations also interpolated labels directly into Cypher SET clauses (fix commit 7d65d5e):

# Vulnerable pattern (pre-0.28.2) — from fix commit 7d65d5e
for label in labels.split(':'):
    label_subquery += f' SET n:{label}\n'

CWE Classification

CWE-943: "Improper Neutralization of Special Elements in Data Query Logic" (NVD).

Fix Implementation

The fix in version 0.28.2 (commit 7d65d5e) implements input validation via an allowlist regex pattern (fix commit 7d65d5e):

# Fixed pattern (v0.28.2+) — from fix commit 7d65d5e
SAFE_CYPHER_IDENTIFIER_PATTERN = re.compile(r'^[a-zA-Z_][a-zA-Z0-9_]*$')

Validation is enforced at three layers (fix commit 7d65d5e): - API entry points: validate_group_ids() and validate_node_labels() functions called in search operations - Data model: Pydantic @field_validator on node label fields - Query builders: _validate_entity_labels() before Cypher SET clause construction

A new NodeLabelValidationError exception rejects labels containing characters outside the [a-zA-Z0-9_] set (fix commit 7d65d5e).

Confidence & Validation

Assessment Confidence: High

Detection Signatures

Detection Limitations

All detection rules below are experimental and hunting/telemetry grade — they detect suspicious patterns that may also match benign activity (RAXE assessment). No confirmed indicators of compromise exist for this vulnerability at time of writing. Rules 1 and 3 require custom application-layer instrumentation not available in default Graphiti or MCP server deployments (RAXE assessment).

Sigma Rule 1: Cypher Injection Characters in Graphiti Search Parameters

Classification: Delivery telemetry | Level: medium Prerequisite: Requires application-layer logging of Graphiti API call parameters (custom instrumentation) (RAXE assessment)

title: Cypher Injection Characters in Graphiti Search Parameters
id: raxe-2026-037-sigma-001
status: experimental
level: medium
description: >
  Detects Cypher injection syntax characters in Graphiti search_nodes
  entity_types or node_labels parameters. CVE-2026-32247 (GHSA-gg5m-55jj-8m5g)
  allowed unsanitised label values to be interpolated into Cypher queries.
  Classification: Delivery telemetry.
author: RAXE Labs
date: 2026/03/15
references:
  - https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g
  - https://nvd.nist.gov/vuln/detail/CVE-2026-32247
logsource:
  category: application
  product: graphiti
detection:
  selection:
    api_function|contains:
      - 'search_nodes'
      - 'search_edges'
  injection_chars:
    entity_types|re: '.*[`\{\}\(\)\[\];].*'
  condition: selection and injection_chars
falsepositives:
  - Applications using entity type names containing special characters

Sigma Rule 2: Cypher Query Injection Patterns in Graph Database Logs

Classification: Delivery telemetry | Level: medium Prerequisite: Requires Neo4j query logging (dbms.logs.query.enabled=true) or equivalent FalkorDB/Neptune query audit logging (RAXE assessment)

title: Cypher Query Injection Patterns in Graph Database Logs
id: raxe-2026-037-sigma-002
status: experimental
level: medium
description: >
  Detects potential Cypher injection patterns in Neo4j or FalkorDB query logs.
  CVE-2026-32247 (GHSA-gg5m-55jj-8m5g) allowed injection via unsanitised
  node labels interpolated into Cypher queries as 'n:' + user_input.
  Classification: Delivery telemetry.
author: RAXE Labs
date: 2026/03/15
references:
  - https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g
  - https://nvd.nist.gov/vuln/detail/CVE-2026-32247
logsource:
  category: database
  product: neo4j
detection:
  selection_label_inject:
    query|re: 'n:[a-zA-Z_]*[`\{\}\(\);]'
  selection_multi_statement:
    query|contains:
      - 'DETACH DELETE'
      - 'CALL db.'
      - 'LOAD CSV'
  condition: selection_label_inject or selection_multi_statement
falsepositives:
  - Legitimate Cypher queries using complex label expressions
  - Administrative DETACH DELETE in maintenance scripts

Sigma Rule 3: MCP Tool Call with Suspicious Entity Types

Classification: Hunting rule | Level: medium Prerequisite: Requires MCP server request logging with tool call argument capture (custom instrumentation) (RAXE assessment)

title: MCP Tool Call with Suspicious Graphiti Entity Types
id: raxe-2026-037-sigma-005
status: experimental
level: medium
description: >
  Hunting rule for MCP server deployments. Detects tool calls to Graphiti
  search_nodes where entity_types contain characters outside the safe
  identifier pattern. CVE-2026-32247 (GHSA-gg5m-55jj-8m5g) was exploitable
  via indirect prompt injection in MCP deployments.
  Classification: Hunting rule.
author: RAXE Labs
date: 2026/03/15
references:
  - https://github.com/getzep/graphiti/security/advisories/GHSA-gg5m-55jj-8m5g
  - https://nvd.nist.gov/vuln/detail/CVE-2026-32247
logsource:
  category: application
  product: mcp_server
detection:
  selection_tool:
    tool_name: 'search_nodes'
  suspicious_entity:
    arguments.entity_types|re: '.*[^A-Za-z0-9_\s,\[\]].*'
  condition: selection_tool and suspicious_entity
falsepositives:
  - LLM-generated entity type strings containing punctuation
  - Entity types with hyphens or dots in naming conventions

Detection & Mitigation

Immediate Actions

1. Upgrade graphiti-core to version 0.28.2 or later (GHSA-gg5m-55jj-8m5g). The fixed version is confirmed available on PyPI (PyPI).
2. Audit MCP server deployments for Graphiti search tool exposure to untrusted LLM-processed content (RAXE assessment).
3. Review graph database credentials used by Graphiti — apply least-privilege principles. Injected Cypher executes within the privileges of the configured graph database connection (GHSA-gg5m-55jj-8m5g).

Detection Guidance

• Version audit: Run pip show graphiti-core to identify vulnerable installations. Use dependency scanners (pip-audit, safety) for automated detection (RAXE assessment).
• Query log monitoring: Enable Neo4j query logging and monitor for anomalous Cypher patterns in the label position of queries (RAXE assessment).
• MCP tool call monitoring: Implement logging of MCP tool call arguments, particularly entity_types passed to Graphiti search functions (RAXE assessment).

Longer-Term Recommendations

1. Prefer Kuzu backend where feasible — Kuzu's parameterised label handling was not affected by this vulnerability class (GHSA-gg5m-55jj-8m5g).
2. Implement input validation on AI agent tool parameters — this vulnerability demonstrates how indirect prompt injection can chain through AI agent tool calls into backend queries. Validate tool call arguments independently of LLM output (RAXE assessment).

Indicators of Compromise

No confirmed indicators of compromise exist for CVE-2026-32247 at time of writing. No public proof-of-concept or observed exploitation has been reported.

The following are behavioural indicators for hunting purposes only (RAXE assessment):

Strategic Context

This vulnerability illustrates an emerging attack pattern in the AI agent ecosystem: injection via tool-use chains (RAXE assessment). As AI agents increasingly interact with backend data stores through protocol layers such as MCP, the attack surface for injection vulnerabilities expands beyond traditional web application boundaries (RAXE assessment).

The combination of indirect prompt injection and Cypher injection creates a compound attack where the adversary does not directly interact with the vulnerable API but influences it through LLM-mediated content (RAXE assessment). This pattern — prompt injection chaining into backend query injection — represents a class of vulnerability that may recur across the AI agent tooling ecosystem as more frameworks expose database operations through LLM-accessible tool interfaces (RAXE assessment).

Graphiti's fix approach — allowlist validation at API entry points, data model validators, and query builders — provides a reference pattern for other AI agent frameworks implementing defence-in-depth against injection through tool-use chains (RAXE assessment).

References

1. CVE-2026-32247 — NVD entry (vulnStatus: Undergoing Analysis) (NVD)
2. GHSA-gg5m-55jj-8m5g — GitHub Security Advisory (GHSA)
3. Fix commit 7d65d5e — Patch implementing input validation (GitHub)
4. Fix PR #1312 — Pull request with code changes (GitHub)
5. Release v0.28.2 — Fixed release (GitHub)
6. graphiti-core on PyPI — Package registry (PyPI)
7. EPSS Score for CVE-2026-32247 — Exploit Prediction Scoring System (FIRST.org EPSS)