CVE-2026-41327
published 2026-04-24CVE-2026-41327: Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.42%
34.0th percentile
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgraph-io | dgraph | < 25.3.3 | 25.3.3 |
| dgraph | dgraph | < 25.3.3 | 25.3.3 |
| github.com | dgraph-io_dgraph | 0 – 1.2.8 | — |
| github.com | dgraph-io_dgraph_v24 | 0 – 24.1.8 | — |
| github.com | dgraph-io_dgraph_v25 | >= 0 < 25.3.3 | 25.3.3 |
| github.com | dgraph-io_dgraph_v25 | >= 0 < 25.3.4 | 25.3.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
ghsa·2026-06-29·CVSS 9.1
CVE-2026-44840 [CRITICAL] CWE-943 Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
## Summary
The `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.
## Details
### Vulnerable Code Path
The vulnerability exists in the GraphQL-to-DQL query rewriting layer:
1. **`query_rewriter.go` (~line 364)** — The `checkpwd()` DQL function is constructed using `fmt.Sprintf`:
```go
fmt.Sprintf(`checkpwd(User.password, "%s")`, password)
```
The raw password string from the G
VulDB
dgraph-io dgraph up to 25.3.2 DQL Parser /mutate?commitNow=true cond data query logic injection
vuldb·2026-04-24·CVSS 9.1
CVE-2026-41327 [CRITICAL] dgraph-io dgraph up to 25.3.2 DQL Parser /mutate?commitNow=true cond data query logic injection
A vulnerability marked as critical has been reported in dgraph-io dgraph up to 25.3.2. The impacted element is an unknown function of the file /mutate?commitNow=true of the component DQL Parser. The manipulation of the argument cond leads to improper neutralization of special elements in data query logic.
This vulnerability is documented as CVE-2026-41327. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
ghsa·2026-04-24
CVE-2026-41327 [CRITICAL] CWE-943 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
## 1. Executive Summary
A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled.
The attack is a single HTTP POST to `/mutate?commitNow=true` containing a crafted `cond` field in an upsert mutation. The `cond` value is concatenated directly into a DQL query string via `strings.Builder.WriteString` after only a cosmetic `strings.Replace` transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the `cond` string, which the DQL parser accepts as a syntactically valid named qu
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-24
Published