Search criteria
1 vulnerability by graphprotocol
CVE-2026-28410 (GCVE-0-2026-28410)
Vulnerability from cvelistv5 – Published: 2026-03-05 20:11 – Updated: 2026-03-06 17:54
VLAI
Title
The Graph: Revocable vesting contracts allows early access to locked tokens
Summary
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/graphprotocol/contracts/securi… | x_refsource_CONFIRM |
| https://github.com/graphprotocol/contracts/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| graphprotocol | contracts |
Affected:
< 3.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T17:54:52.003897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:54:59.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "contracts",
"vendor": "graphprotocol",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-682",
"description": "CWE-682: Incorrect Calculation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T20:11:54.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r"
},
{
"name": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773"
}
],
"source": {
"advisory": "GHSA-qx35-rc5x-x39r",
"discovery": "UNKNOWN"
},
"title": "The Graph: Revocable vesting contracts allows early access to locked tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28410",
"datePublished": "2026-03-05T20:11:54.254Z",
"dateReserved": "2026-02-27T15:33:57.289Z",
"dateUpdated": "2026-03-06T17:54:59.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}