Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacke...
Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
AI Analyst Comment
Remediation
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Dgraph
PRODUCT: Dgraph
AFFECTED_VERSIONS: Prior to 25.3.3
CONFIDENCE: high
MISSING: none
---END_METADATA---
Description Summary:
Dgraph is vulnerable to an unauthenticated DQL injection attack that allows full read access to database data via crafted HTTP POST requests.
Executive Summary:
A critical DQL injection vulnerability in Dgraph allows unauthenticated attackers to gain full read access to sensitive database contents.
Vulnerability Details
CVE-ID: CVE-2026-41327
Affected Software: Dgraph Dgraph
Affected Versions: Prior to 25.3.3
Vulnerability: This vulnerability involves improper input sanitization within the DQL query parser, where an unauthenticated attacker can inject arbitrary query blocks into the
condfield of an upsert mutation. The lack of parameterization allows the injected query to execute server-side and return sensitive data in the HTTP response.Business Impact
The ability for an unauthenticated user to retrieve the entire contents of a database represents a catastrophic security failure. Given the CVSS score of 9.1, this vulnerability poses an extreme risk of mass data exfiltration, regulatory non-compliance, and severe reputational damage to any organization utilizing Dgraph in its default configuration.
Remediation Plan
Immediate Action: Upgrade all Dgraph instances to version 25.3.3 or later immediately to resolve the query injection flaw.
Proactive Monitoring: Review access logs for suspicious HTTP POST requests directed to the
/mutateendpoint, specifically looking for anomalouscondfield values.Compensating Controls: Implement strict network access controls to limit access to the Dgraph API and ensure that Access Control Lists (ACLs) are enabled and configured to prevent unauthorized operations.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of Apr 24, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The severity of this vulnerability cannot be overstated, as it provides an unauthenticated path to total data exposure. Organizations must prioritize upgrading their Dgraph installations to version 25.3.3 immediately and audit their current configuration to ensure ACLs are properly enforced.