Security testing of REST APIs remains difficult because real-world OpenAPI specifications are often incomplete, many security flaws are inherently stateful, and prevailing stateful fuzzers still optimize primarily for structural exploration rather than OWASP-aligned risk categories. Based on this gap, this paper presents APIGFUZZ, a graph-driven, OWASP-aware black-box REST API fuzzing framework that builds an operation-level parameter-flow graph from OpenAPI specifications and lightweight semantic field classification. The graph recovers producer-consumer dependencies between operations, including low-confidence create-then-access relations when response schemas are weak, and supports deterministic generation of short stateful request sequences. On top of this graph, the framework applies OWASP-aligned test templates and strategy-specific payload pools, while a multi-oracle panel evaluates executions using status-code anomalies, authorization and sequence invariants, schema deviations, idempotency drift, and dedicated checks for categories that are invisible to 5xx-only baselines, such as rate limiting and some injection behaviors. Large language models are used only outside the hot fuzzing loop: first, for offline rule inference from natural-language descriptions, and second, as an optional fallback classifier for ambiguous parameters. This design preserves determinism, cost control, and reproducibility while still benefiting from limited semantic guidance. Experiments on two OpenAPI-documented API security benchmarks, vAPI 1.3 and c{api}tal, show that APIGFUZZ finds 33 unique bugs on vAPI under a 30-minute budget, including 21 oracle-only findings beyond standard 5xx detection, covers 8 of 10 OWASP API Top-10 categories, and surfaces a rate-limiting flaw on the hardened c{api}tal backend that the compared baselines do not detect.