CVE-2026-41327

Dgraph · Dgraph

Dgraph is vulnerable to an unauthenticated DQL injection attack that allows full read access to database data via crafted HTTP POST requests.

Executive summary

A critical DQL injection vulnerability in Dgraph allows unauthenticated attackers to gain full read access to sensitive database contents.

Vulnerability

This vulnerability involves improper input sanitization within the DQL query parser, where an unauthenticated attacker can inject arbitrary query blocks into the cond field of an upsert mutation. The lack of parameterization allows the injected query to execute server-side and return sensitive data in the HTTP response.

Business impact

The ability for an unauthenticated user to retrieve the entire contents of a database represents a catastrophic security failure. Given the CVSS score of 9.1, this vulnerability poses an extreme risk of mass data exfiltration, regulatory non-compliance, and severe reputational damage to any organization utilizing Dgraph in its default configuration.

Remediation

Immediate Action: Upgrade all Dgraph instances to version 25.3.3 or later immediately to resolve the query injection flaw.

Proactive Monitoring: Review access logs for suspicious HTTP POST requests directed to the /mutate endpoint, specifically looking for anomalous cond field values.

Compensating Controls: Implement strict network access controls to limit access to the Dgraph API and ensure that Access Control Lists (ACLs) are enabled and configured to prevent unauthorized operations.

Exploitation status

Public Exploit Available: False

Analyst recommendation

The severity of this vulnerability cannot be overstated, as it provides an unauthenticated path to total data exposure. Organizations must prioritize upgrading their Dgraph installations to version 25.3.3 immediately and audit their current configuration to ensure ACLs are properly enforced.