{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28410", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.289Z", "datePublished": "2026-03-05T20:11:54.254Z", "dateUpdated": "2026-03-06T17:54:59.280Z"}, "containers": {"cna": {"title": "The Graph: Revocable vesting contracts allows early access to locked tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-682", "lang": "en", "description": "CWE-682: Incorrect Calculation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r"}, {"name": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773", "tags": ["x_refsource_MISC"], "url": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773"}], "affected": [{"vendor": "graphprotocol", "product": "contracts", "versions": [{"version": "< 3.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:11:54.254Z"}, "descriptions": [{"lang": "en", "value": "The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0."}], "source": {"advisory": "GHSA-qx35-rc5x-x39r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:54:52.003897Z", "id": "CVE-2026-28410", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:54:59.280Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T17:54:52.003897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:54:55.601Z"}}], "cna": {"title": "The Graph: Revocable vesting contracts allows early access to locked tokens", "source": {"advisory": "GHSA-qx35-rc5x-x39r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "graphprotocol", "product": "contracts", "versions": [{"status": "affected", "version": "< 3.0.0"}]}], "references": [{"url": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r", "name": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773", "name": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-682", "description": "CWE-682: Incorrect Calculation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:11:54.254Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28410", "state": "PUBLISHED", "dateUpdated": "2026-03-06T17:54:59.280Z", "dateReserved": "2026-02-27T15:33:57.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T20:11:54.254Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thegraph:graph_protocol_contracts:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E29EDF2F-7E8C-4363-A937-3A040088B08B", "versionEndExcluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0."}, {"lang": "es", "value": "The Graph es un protocolo de indexaci\u00f3n para consultar redes como Ethereum, IPFS, Polygon y otras blockchains. Antes de la versi\u00f3n 3.0.0, una falla en los contratos de adquisici\u00f3n de tokens permite a los usuarios acceder a tokens que deber\u00edan seguir bloqueados seg\u00fan su cronograma de adquisici\u00f3n de derechos. Este problema ha sido parcheado en la versi\u00f3n 3.0.0."}], "id": "CVE-2026-28410", "lastModified": "2026-03-10T16:54:26.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T21:16:21.873", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-682"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "contracts", "source": "cna", "vendor": "graphprotocol"}, "product": "contracts", "vendor": "graphprotocol"}], "analysis": {"en": {"generated_at": "2026-04-16T12:10:22.419563+00:00", "value": {"mitigation_remediation": ["Upgrade to Graph Protocol Contracts v3.0.0 or later, which contains the patch for the vesting flaw.", "If an upgrade is not immediately possible, restrict usage of the current contracts to a verified set of accounts and monitor for unauthorized claims.", "After remediation, perform a code audit to confirm the vesting logic enforces the correct schedule and that no other early\u2011claim paths remain."], "summary": {"action": "Patch", "impact": "Unauthorized release of locked tokens"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Graph Protocol Contracts developed by The Graph. It appears in all releases prior to version 3.0.0 that run on a Node.js environment. The latest patched release is v3.0.0; earlier versions remain vulnerable.", "description_and_impact": "A flaw in the Graph Protocol\u2019s token vesting contracts allows early access to tokens that should be locked by the vesting schedule. This results in users receiving tokens before the intended release date, undermining the intended allocation and potentially resulting in financial loss for token holders or depositors. The weakness corresponds to improper authorization handling and an incorrect manipulation of data, as indicated by the associated CWEs.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity. EPSS is reported as less than 1\u202f%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker interacting with the smart contract on the blockchain network, triggering the vulnerability through normal claim functions. No public exploit has been disclosed, but the flaw allows an attacker with transactional access to claim vested tokens early, thereby gaining an advantage in token distribution."}}}}, "created": "2026-03-06T15:01:05.950471+00:00", "updated": "2026-04-16T12:15:35.092147+00:00", "vendors": ["graphprotocol", "graphprotocol$PRODUCT$contracts"]}