Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
The Graph Token Vesting Contract Flaw: Unlocked Tokens
CVE-2026-28410
Summary
The Graph's token vesting contracts, used to manage token releases, had a flaw that allowed users to access tokens too early. This could let some users get tokens they weren't supposed to have. The issue was fixed in version 3.0.0, so update to the latest version to stay secure.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| thegraph | graph_protocol_contracts | <= 3.0.0 | – |
Original title
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tok...
Original description
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.
nvd CVSS4.0
5.3
Vulnerability type
CWE-284
Improper Access Control
CWE-682
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026