CVE-2026-32247: Cypher Injection in Graphiti via Insecure SearchFilter Interpolation

Graphiti is a temporal context graph framework used to build stateful AI agents. The framework interacts with multiple graph database backends to store and retrieve contextual data. A vulnerability exists in the query construction logic for Neo4j, FalkorDB, and Neptune backends.

The vulnerability, tracked as CVE-2026-32247, is an instance of CWE-943 (Improper Neutralization of Special Elements in Data Query Logic). It specifically manifests as a Cypher injection flaw within the search-filter processing pipeline. Kuzu backends remain unaffected due to their use of parameterized queries for label handling.

Attackers with low-privileged access to the Graphiti API can leverage this flaw to execute arbitrary database queries. In deployments utilizing the Model Context Protocol (MCP), attackers can trigger the injection indirectly via malicious prompts supplied to an LLM client. The vulnerability was patched in version 0.28.2.

The root cause resides in the insecure string interpolation of user-supplied labels during the construction of Cypher MATCH clauses. Graphiti relies on Cypher labels to filter nodes within the graph database. Backends such as Neo4j, FalkorDB, and Neptune require structural identifiers like labels to be hardcoded into the query string rather than parameterized.

In affected versions, Graphiti extracts the node_labels list from the SearchFilters object and concatenates the elements using the pipe (|) operator. The application prepends a colon to the joined string and directly inserts the result into the query template. The application performs no validation or sanitization on the label values before this concatenation.

Because the label components are unvalidated, an attacker can input strings containing structural Cypher syntax characters. When the database parses the concatenated query string, it interprets the attacker's payload as executable Cypher commands rather than literal label values. This interpretation allows the attacker to break out of the intended MATCH clause and append arbitrary database operations.

The vulnerable code pattern concatenates the node_labels list directly into the query string without validation. The application constructs a filter string and interpolates it into the MATCH statement. This implementation trusts the structural integrity of the user-supplied data.

# Vulnerable Implementation (Conceptual)
node_label_filter = 'n:' + '|'.join(filters.node_labels)
query = f"MATCH ({node_label_filter}) ... "

The patch introduced in commit 7d65d5e77e89a199a62d737634eaa26dbb04d037 replaces this insecure interpolation with strict input validation. The developers implemented a regex pattern to enforce a restrictive whitelist on all label and group ID values. This regex strictly limits inputs to alphanumeric characters and underscores.

# Patched Implementation Helper
SAFE_CYPHER_IDENTIFIER_PATTERN = re.compile(r'^[A-Za-z_][A-Za-z0-9_]*$')

The patch applies this regex via Pydantic validators on the Node and SearchFilters models. The validation logic ensures that all user-supplied labels start with a letter or underscore. The developers also updated the node_search_filter_query_constructor and persistence layers to explicitly call these validation helpers, preventing bypasses via direct model construction.

Exploiting CVE-2026-32247 requires the attacker to supply a crafted payload via the node_labels parameter. An attacker can authenticate to the Graphiti API directly and submit the payload within a standard search request. A more complex vector involves indirect prompt injection in Model Context Protocol (MCP) environments.

An attacker provides a malicious prompt to an LLM that is configured to use the Graphiti MCP server as a tool. The prompt instructs the LLM to invoke the search_nodes tool with the payload embedded in the entity_types argument. Graphiti maps the entity_types argument directly to the vulnerable node_labels field.

A standard payload takes the form of Person) DETACH DELETE n RETURN n //. Upon execution, the database engine processes the payload, closing the parenthesis to break out of the original MATCH context. The DETACH DELETE command executes immediately after, effectively destroying all nodes and relationships within the target graph database.

The vulnerability carries a CVSS 3.1 base score of 8.1, reflecting a high-severity threat to data confidentiality and integrity. Successful exploitation allows complete control over the underlying graph database. An attacker can read arbitrary data by appending MATCH and RETURN clauses to the injected query.

Data integrity is equally compromised. Attackers can modify existing nodes, forge temporal events, or delete the entire dataset using the DETACH DELETE operation. The application's availability is technically unaffected at the system configuration level, although data destruction effectively halts application functionality.

The vulnerability does not grant direct operating system access or remote code execution on the host machine. The execution context is strictly confined to the database service account permissions. Organizations using vulnerable versions expose their complete temporal context history to total compromise.

The primary remediation for CVE-2026-32247 is upgrading to Graphiti version 0.28.2. This release contains the complete regex-based validation patch across all model constructors and persistence layers. Organizations utilizing Graphiti should deploy this update immediately across all environments.

Administrators should enforce the principle of least privilege on the database service accounts used by Graphiti. Restricting the database user from executing destructive commands like DETACH DELETE limits the impact of successful injections. This backend configuration serves as a critical defense-in-depth measure.

In MCP environments, security teams must treat all LLM outputs as untrusted input. Implementing an intermediary validation layer between the LLM client and the Graphiti server provides additional protection against indirect prompt injection vectors. Monitoring tool-calling behavior for anomalous payload structures aids in detecting exploitation attempts.