CVE-2026-28410 | THREATINT

Description

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-05 | Updated 2026-03-05 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-284: Improper Access Control

CWE-682: Incorrect Calculation

Product status

< 3.0.0

affected

References

github.com/...tracts/security/advisories/GHSA-qx35-rc5x-x39r

github.com/...ommit/91224ed83eeff3fc3afea01f5ed269373d9bf773

cve.org (CVE-2026-28410)

nvd.nist.gov (CVE-2026-28410)

Download JSON