Summary
Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation.
In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cypher construction path.
Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels.
This issue was mitigated in 0.28.2.
Affected Versions
Fixed Version
Affected Components
- Graphiti Core search filter construction
- Graphiti MCP Server
search_nodes when used by an LLM client processing untrusted prompts
Technical Details
Before 0.28.2, Graphiti joined SearchFilters.node_labels with | and inserted the result directly into Cypher label expressions in the shared search-filter constructors used by non-Kuzu providers.
The vulnerable logic was effectively:
node_labels = '|'.join(filters.node_labels)node_label_filter = 'n:' + node_labels
The same pattern was also used in edge-search filter construction.
In MCP deployments, search_nodes accepted an entity_types argument and passed it directly to SearchFilters(node_labels=entity_types). An attacker who could influence prompts processed by an LLM client with Graphiti MCP access could use prompt injection to steer the model into invoking search_nodes with crafted entity_types values containing Cypher syntax. Those values would then be interpolated into Cypher before 0.28.2.
Impact
Successful exploitation could allow arbitrary Cypher execution within the privileges of the configured graph database connection, including:
- reading graph data outside the intended search scope
- modifying graph data
- deleting graph data
- bypassing logical group isolation enforced at the query layer
Additional Note on group_ids
Separately, the original report also identified a narrower issue in fulltext search query construction for unvalidated group_ids. That issue was distinct from the Cypher label-injection path described above and was also mitigated in 0.28.2.
Mitigation
Upgrade to 0.28.2 or later.
Version 0.28.2 added:
- validation of
SearchFilters.node_labels
- defense-in-depth label validation in shared search-filter constructors
- validation of entity node labels in persistence query builders
- validation of
group_ids in shared search fulltext helpers
Workarounds
If you cannot upgrade immediately:
- do not expose Graphiti MCP tools to untrusted users or to LLM workflows that process untrusted prompt content
- avoid passing untrusted values into
SearchFilters.node_labels or MCP entity_types
- restrict graph database credentials to the minimum privileges required
Credits
@4n93L for their original report.
romain-deperne Reporter
Summary
Graphiti versions before
0.28.2contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied throughSearchFilters.node_labelswere concatenated directly into Cypher label expressions without validation.In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call
search_nodeswith attacker-controlledentity_typesvalues. The MCP server mappedentity_typestoSearchFilters.node_labels, which then reached the vulnerable Cypher construction path.Affected backends included Neo4j, FalkorDB, and Neptune. Kuzu was not affected by the label-injection issue because it used parameterized label handling rather than string-interpolated Cypher labels.
This issue was mitigated in
0.28.2.Affected Versions
0.28.1and earlierFixed Version
0.28.2Affected Components
search_nodeswhen used by an LLM client processing untrusted promptsTechnical Details
Before
0.28.2, Graphiti joinedSearchFilters.node_labelswith|and inserted the result directly into Cypher label expressions in the shared search-filter constructors used by non-Kuzu providers.The vulnerable logic was effectively:
node_labels = '|'.join(filters.node_labels)node_label_filter = 'n:' + node_labelsThe same pattern was also used in edge-search filter construction.
In MCP deployments,
search_nodesaccepted anentity_typesargument and passed it directly toSearchFilters(node_labels=entity_types). An attacker who could influence prompts processed by an LLM client with Graphiti MCP access could use prompt injection to steer the model into invokingsearch_nodeswith craftedentity_typesvalues containing Cypher syntax. Those values would then be interpolated into Cypher before0.28.2.Impact
Successful exploitation could allow arbitrary Cypher execution within the privileges of the configured graph database connection, including:
Additional Note on
group_idsSeparately, the original report also identified a narrower issue in fulltext search query construction for unvalidated
group_ids. That issue was distinct from the Cypher label-injection path described above and was also mitigated in0.28.2.Mitigation
Upgrade to
0.28.2or later.Version
0.28.2added:SearchFilters.node_labelsgroup_idsin shared search fulltext helpersWorkarounds
If you cannot upgrade immediately:
SearchFilters.node_labelsor MCPentity_typesCredits
@4n93L for their original report.