An unauthenticated vulnerability in the Dgraph GraphQL database allows remote attackers to fully compromise the database and perform unauthorized file system access.

The restoreTenant admin mutation is missing authorization middleware. This allows unauthenticated attackers to provide malicious backup source URLs, overwrite existing data, and access sensitive server-side files or internal network resources.

This vulnerability grants an attacker complete control over the database, leading to data loss, theft, and potential pivot points into the internal network via SSRF. The CVSS score of 10.0 underscores the extreme risk to business-critical data and infrastructure.

Immediate Action: Update Dgraph instances to version 25.3.1 or later.

Proactive Monitoring: Monitor database access logs for any unauthorized restoreTenant requests or unusual outbound network traffic indicative of SSRF.

Compensating Controls: Ensure Dgraph is not exposed to the public internet and restrict access to administrative ports via network firewalls and VPNs.

Public Exploit Available: Unknown

This is a critical security failure requiring urgent intervention. All Dgraph deployments must be patched to 25.3.1 immediately, and network access to administrative endpoints must be strictly audited and limited to trusted sources.