CVE-2026-28410 MEDIUM

CVE-2026-28410: The Graph: Revocable vesting contracts allows early access to locked tokens

Vendor Graphprotocol
Product contracts
Weakness CWE-284
Published March 5, 2026
Last update March 6, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 6, 2026 Record updated