Graphiti versions before 0.28.2 contain a Cypher injection vulnerability in the shared search-filter construction logic used by non-Kuzu graph database backends. Attacker-controlled values passed through SearchFilters.node_labels are concatenated directly into Cypher label expressions without validation or sanitisation.
What makes this especially significant is the two-stage attack path in MCP deployments: an attacker does not need direct API access to the Graphiti MCP server. Instead, they can deliver a prompt injection payload to an LLM client connected to Graphiti, inducing the model to call search_nodes with attacker-controlled entity_types values — translating a prompt injection into a graph database injection with no direct server access required.
In production agentic deployments where Graphiti is used as a long-term memory or knowledge graph store, this vulnerability allows an attacker to read or corrupt graph data, exfiltrate relationship maps, and potentially pivot to connected systems depending on the graph contents and backend configuration.
Immediate recommendation: Upgrade graphiti-core to version 0.28.2 or later. Audit any MCP server configuration that exposes search_nodes to untrusted LLM input without a tool-call approval layer.