Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.

INFO

Published Date :

2026-04-24T18:27:51.477Z

Last Modified :

2026-04-24T19:05:56.125Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41327 vulnerability.

Vendors Products
Dgraph
  • Dgraph
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41327.

URL Resource
https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3 cve-icon cve-icon
https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact