CVE-2026-28410 - Vulnerability Details - OpenCVE

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773
https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r

History

Thu, 05 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.
Title		The Graph: Revocable vesting contracts allows early access to locked tokens
Weaknesses		CWE-284 CWE-682
References		https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773 https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-05T20:11:54.254Z

Updated: 2026-03-05T20:11:54.254Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28410

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-05T21:16:21.873

Modified: 2026-03-05T21:16:21.873

Link: CVE-2026-28410

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28410", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.289Z", "datePublished": "2026-03-05T20:11:54.254Z", "dateUpdated": "2026-03-05T20:11:54.254Z"}, "containers": {"cna": {"title": "The Graph: Revocable vesting contracts allows early access to locked tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-682", "lang": "en", "description": "CWE-682: Incorrect Calculation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r"}, {"name": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773", "tags": ["x_refsource_MISC"], "url": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773"}], "affected": [{"vendor": "graphprotocol", "product": "contracts", "versions": [{"version": "< 3.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:11:54.254Z"}, "descriptions": [{"lang": "en", "value": "The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0."}], "source": {"advisory": "GHSA-qx35-rc5x-x39r", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0."}], "id": "CVE-2026-28410", "lastModified": "2026-03-05T21:16:21.873", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T21:16:21.873", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773"}, {"source": "security-advisories@github.com", "url": "https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-682"}], "source": "security-advisories@github.com", "type": "Primary"}]}