CVE-2026-28410

The Graph <3.0.0 - Auth Bypass

Title source: llm

Description

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

References (2)

[Patch] https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r

Scores

EPSS 0.0004

EPSS Percentile 11.3%

Classification

CWE

CWE-682 CWE-284

Status draft

Timeline

Published Mar 05, 2026

Tracked Since Mar 06, 2026