CVE-2026-28410
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| graphprotocol | contracts | < 3.0.0 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
- CWE-682: CWE-682: Incorrect Calculation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r
- https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.