Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
Published: 2026-04-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Full Database Exfiltration
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to read the entire contents of a Dgraph database when the default configuration (no ACL) is in use. By sending two unauthenticated HTTP POST requests to port 8080—first to /alter to add a specially crafted schema predicate and second to /mutate?commitNow=true with a JSON key that contains the predicate name followed by an @ symbol and a malicious DQL payload—the attacker can inject arbitrary DQL commands. The injected query is executed on the server and its result set is returned in the HTTP response, effectively granting full data exfiltration. The weakness is a form of JSON injection, identified as CWE‑943.

Affected Systems

Vendors and products affected are Dgraph‑IO’s Dgraph database, specifically any deployment running a version prior to 25.3.3. The vulnerability is tied to the default configuration where access control lists are disabled, so any instance exposed on port 8080 without authentication is susceptible.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity due to complete data compromise. Although the EPSS score is less than 1 %—suggesting a low current exploitation probability—the vulnerability is publicly known and the attack does not require privileged access, only the ability to reach the unauthenticated API endpoints. The solution is not yet in CISA’s KEV catalog. If a Dgraph instance is publicly reachable and ACL is not enabled, this weakness can be exploited with minimal effort. Enabling authentication or applying the patch dramatically reduces risk.

Generated by OpenCVE AI on April 28, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading Dgraph to version 25.3.3 or later.
  • If an upgrade cannot be performed immediately, enable Dgraph’s Access Control Lists so that all API endpoints require authentication.
  • Limit network exposure of port 8080 to trusted hosts or networks to eliminate unauthenticated access.

Generated by OpenCVE AI on April 28, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x92x-px7w-4gx4 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
History

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dgraph:dgraph:*:*:*:*:*:go:*:*

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Dgraph
Dgraph dgraph
Vendors & Products Dgraph
Dgraph dgraph

Fri, 24 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
Title Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Dgraph Dgraph
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T19:57:59.743Z

Reserved: 2026-04-20T14:01:46.672Z

Link: CVE-2026-41328

cve-icon Vulnrichment

Updated: 2026-04-24T19:57:54.586Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T19:17:12.553

Modified: 2026-04-28T18:31:09.990

Link: CVE-2026-41328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses