CVE-2026-41328
published 2026-04-24CVE-2026-41328: Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full…
PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.34%
25.6th percentile
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgraph-io | dgraph | < 25.3.3 | 25.3.3 |
| dgraph | dgraph | < 25.3.3 | 25.3.3 |
| github.com | dgraph-io_dgraph | 0 – 1.2.8 | — |
| github.com | dgraph-io_dgraph_v24 | 0 – 24.1.8 | — |
| github.com | dgraph-io_dgraph_v25 | >= 0 < 25.3.3 | 25.3.3 |
| github.com | dgraph-io_dgraph_v25 | >= 0 < 25.3.4 | 25.3.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
ghsa·2026-06-29·CVSS 9.1
CVE-2026-44840 [CRITICAL] CWE-943 Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
## Summary
The `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.
## Details
### Vulnerable Code Path
The vulnerability exists in the GraphQL-to-DQL query rewriting layer:
1. **`query_rewriter.go` (~line 364)** — The `checkpwd()` DQL function is constructed using `fmt.Sprintf`:
```go
fmt.Sprintf(`checkpwd(User.password, "%s")`, password)
```
The raw password string from the G
GHSA
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
ghsa·2026-04-24
CVE-2026-41328 [CRITICAL] CWE-943 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
## 1. Executive Summary
A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled.
The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with `@unique @index(exact) @lang` via `/alter` (also unauthenticated in default config). The second sends a crafted JSON mutation to `/mutate?commitNow=true` where a JSON key contains the predicate name followed by `@` and a DQL injection payload in the language tag position.
The injection exploits the `addQueryIfUnique` function in `edgraph/server.go`, which constructs DQL queries using `fmt.
VulDB
dgraph-io dgraph up to 25.3.2 JSON /alter x.PredicateLang pred.Lang data query logic injection
vuldb·2026-04-24·CVSS 9.1
CVE-2026-41328 [CRITICAL] dgraph-io dgraph up to 25.3.2 JSON /alter x.PredicateLang pred.Lang data query logic injection
A vulnerability identified as critical has been detected in dgraph-io dgraph up to 25.3.2. Affected is the function x.PredicateLang of the file /alter of the component JSON Handler. The manipulation of the argument pred.Lang leads to improper neutralization of special elements in data query logic.
This vulnerability is documented as CVE-2026-41328. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-24
Published