cbcvebase.

Dgraph-Io Dgraph vulnerabilities

6 known vulnerabilities affecting dgraph-io/dgraph.

Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL5MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-41492P2CRITICALCVSS 9.8PoCfixed in 25.3.32026-04-24
CVE-2026-41492 [CRITICAL] CWE-200 CVE-2026-41492: Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthTo
nvd
CVE-2026-34976P2CRITICALCVSS 10.0fixed in 25.3.12026-04-06
CVE-2026-34976 [CRITICAL] CWE-862 CVE-2026-34976: Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin muta Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutati
nvd
CVE-2026-40173P2CRITICALCVSS 9.4fixed in 25.3.22026-04-15
CVE-2026-40173 [CRITICAL] CWE-200 CVE-2026-40173: Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthen Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security
nvd
CVE-2026-41328P2CRITICALCVSS 9.1fixed in 25.3.32026-04-24
CVE-2026-41328 [CRITICAL] CWE-943 CVE-2026-41328: Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been fou Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a s
nvd
CVE-2026-41327P2CRITICALCVSS 9.1fixed in 25.3.32026-04-24
CVE-2026-41327 [CRITICAL] CWE-943 CVE-2026-41327: Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been fou Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing
nvd
CVE-2023-31135P4MEDIUMCVSS 5.5fixed in 23.0.02023-05-17
CVE-2023-31135 [MEDIUM] CWE-326 CVE-2023-31135: Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. The first 12 bytes come from a baseIv which is initialized when an audit log is created. The last 4 bytes come from the length of the log line being encrypted. This is problematic because two log lines will
nvd
Dgraph-Io Dgraph vulnerabilities | cvebase