cbcvebase.
CVE-2026-34976
published 2026-04-06

CVE-2026-34976: Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config…

PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.45%
36.0th percentile
Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
dgraph-iodgraph< 25.3.125.3.1
dgraphdgraph<= 25.3.0
github.comdgraph-io_dgraph0 – 1.2.8
github.comdgraph-io_dgraph_v240 – 24.0.5
github.comdgraph-io_dgraph_v25>= 0 < 25.3.125.3.1

Detection & IOCsextracted from sources · hover to see the quote

urlfile://
  • Monitor for unauthenticated GraphQL admin mutation calls to 'restoreTenant' — this endpoint has no authorization middleware and should never be called without authentication
  • Alert on restoreTenant mutation requests that supply file:// scheme URLs as backup source, indicating local filesystem read/SSRF abuse
  • Inspect Dgraph admin API traffic for restoreTenant calls originating from unauthenticated/anonymous sessions — legitimate use requires Guardian-of-Galaxy auth like the sibling restore mutation
  • ·Attack surface includes S3/MinIO credentials, encryption key file paths, and Vault credential file paths passed as mutation parameters — all attacker-controlled inputs with no server-side validation gate
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.