CVE-2026-28410

HIGH

The Graph <3.0.0 - Auth Bypass

Title source: llm

Description

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

References (2)

[Vendor Advisory] https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r

[Patch] https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0004

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-682 CWE-284

Status published

Products (1)

thegraph/graph_protocol_contracts < 3.0.0

Published Mar 05, 2026

Tracked Since Mar 06, 2026