CVE-2026-41328

Dgraph · Dgraph

An unauthenticated DQL injection vulnerability in Dgraph's default configuration allows attackers to read all database contents via crafted mutation requests.

Executive summary

A critical DQL injection vulnerability in Dgraph allows unauthenticated attackers to bypass security controls and gain full read access to the entire database.

Vulnerability

The vulnerability stems from improper sanitization of the Lang value in DQL mutations. By sending specifically crafted HTTP POST requests to the /alter and /mutate endpoints, an unauthenticated attacker can inject arbitrary query logic, effectively bypassing ACL restrictions in default configurations.

Business impact

With a CVSS score of 9.1, this vulnerability allows for total compromise of database confidentiality. An attacker can exfiltrate all stored records, posing an existential threat to data privacy and regulatory compliance.

Remediation

Immediate Action: Upgrade Dgraph to version 25.3.3 or later to ensure proper sanitization of DQL inputs.

Proactive Monitoring: Review audit logs for suspicious activity on the /alter and /mutate endpoints and investigate any unexpected DQL query structures.

Compensating Controls: Enable Access Control Lists (ACLs) if they are not already active, and restrict network access to the Dgraph API ports to authorized application servers only.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This is a severe vulnerability that grants full read access to the database without authentication. It is critical to apply the provided patch immediately and verify that ACLs are properly configured to add a layer of defense-in-depth.