CVE-2026-28410

HIGH

graph_protocol_contracts < 3.0.0 - Incorrect Token Vesting Calculation

Title source: llm

Description

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r

Patch x_refsource_misc

https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0023

EPSS Percentile 13.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-682 CWE-284

Status published

Products (1)

thegraph/graph_protocol_contracts < 3.0.0

Published Mar 05, 2026

Tracked Since Mar 06, 2026