Threat Advisory

Dgraph Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field Vulnerability

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Dgraph, an open source distributed GraphQL database, affecting various versions including v25, v24, and v1.2.8. The vulnerabilities are categorized as remote code execution (RCE) and unauthorized access, allowing unauthenticated attackers to gain full administrative access and exfiltrate sensitive data from the database. This poses significant business risks, including data breaches, unauthorized changes to the database schema, and disruption of business operations. If exploited, these vulnerabilities could lead to significant financial losses, reputational damage, and compliance issues.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Dgraph, an open source distributed GraphQL database, affecting various versions including v25, v24, and v1.2.8. The vulnerabilities are categorized as remote code execution (RCE) and unauthorized access, allowing unauthenticated attackers to gain full administrative access and exfiltrate sensitive data from the database. This poses significant business risks, including data breaches, unauthorized changes to the database schema, and disruption of business operations. If exploited, these vulnerabilities could lead to significant financial losses, reputational damage, and compliance issues.[emaillocker id="1283"]

  • CVE-2026-41492 with a CVSS score of 9.8 – An unauthenticated attacker can retrieve the Alpha admin token by sending a request to /debug/vars and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete as it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler.
  • CVE-2026-41328 with a CVSS score of 9.1 – An unauthenticated attacker can obtain the Alpha admin token and gain unauthorized administrative access by exploiting a DQL injection vulnerability in the NQuad Lang field. This allows the attacker to construct a DQL query that executes server-side and returns sensitive data.
  • CVE-2026-41327 with a CVSS score of 9.1 – An unauthenticated attacker can obtain the Alpha admin token and gain unauthorized administrative access by exploiting a DQL injection vulnerability in the Upsert Condition Field. This allows the attacker to construct a DQL query that executes server-side and returns sensitive data.

The highest CVSS score of 9.8 indicates a critical vulnerability, emphasizing the need for immediate action to prevent unauthenticated attackers from gaining full administrative access to the Dgraph database, resulting in significant business risks, including data breaches, unauthorized changes to the database schema, and disruption of business operations. If exploited, these vulnerabilities could lead to significant financial losses, reputational damage, and compliance issues.

RECOMMENDATION:

  • We recommend you to update Dgraph to version 25.3.3.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-vvf7-6rmr-m29q
https://github.com/advisories/GHSA-x92x-px7w-4gx4
https://github.com/advisories/GHSA-mrxx-39g5-ph77

[/emaillocker]
crossmenu