CVE-2026-34976: CWE-862: Missing Authorization in dgraph-io dgraph
Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.
AI Analysis
Technical Summary
CVE-2026-34976 is a critical authorization bypass vulnerability in the open source distributed GraphQL database Dgraph (versions before 25.3.1). The restoreTenant admin mutation is not protected by the authorization middleware, unlike the similar restore mutation which requires authentication. This flaw allows unauthenticated attackers to supply arbitrary backup source URLs, including local filesystem paths, S3/MinIO credentials, encryption key file paths, and Vault credential file paths. Exploitation can lead to complete database overwrite, unauthorized file reads on the server, and SSRF attacks. The vulnerability has a CVSS 3.1 score of 10.0, reflecting its critical impact. The issue is fixed in Dgraph version 25.3.1. Since Dgraph is offered as a cloud service, the vendor typically manages patching and remediation.
Potential Impact
An unauthenticated attacker can fully compromise the Dgraph database by overwriting all data, accessing sensitive server-side files, and performing SSRF attacks. This results in complete confidentiality, integrity, and availability loss of the affected system. The vulnerability is critical with a CVSS score of 10.0, indicating maximum impact across all security dimensions.
Mitigation Recommendations
A fix is available in Dgraph version 25.3.1. Users should upgrade to this version to remediate the vulnerability. For the cloud-hosted Dgraph service, the vendor manages remediation and patching server-side. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation steps are specified or required beyond applying the official fix.
CVE-2026-34976: CWE-862: Missing Authorization in dgraph-io dgraph
Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34976 is a critical authorization bypass vulnerability in the open source distributed GraphQL database Dgraph (versions before 25.3.1). The restoreTenant admin mutation is not protected by the authorization middleware, unlike the similar restore mutation which requires authentication. This flaw allows unauthenticated attackers to supply arbitrary backup source URLs, including local filesystem paths, S3/MinIO credentials, encryption key file paths, and Vault credential file paths. Exploitation can lead to complete database overwrite, unauthorized file reads on the server, and SSRF attacks. The vulnerability has a CVSS 3.1 score of 10.0, reflecting its critical impact. The issue is fixed in Dgraph version 25.3.1. Since Dgraph is offered as a cloud service, the vendor typically manages patching and remediation.
Potential Impact
An unauthenticated attacker can fully compromise the Dgraph database by overwriting all data, accessing sensitive server-side files, and performing SSRF attacks. This results in complete confidentiality, integrity, and availability loss of the affected system. The vulnerability is critical with a CVSS score of 10.0, indicating maximum impact across all security dimensions.
Mitigation Recommendations
A fix is available in Dgraph version 25.3.1. Users should upgrade to this version to remediate the vulnerability. For the cloud-hosted Dgraph service, the vendor manages remediation and patching server-side. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation steps are specified or required beyond applying the official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T19:38:31.617Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d3dfa80a160ebd92c701db
Added to database: 4/6/2026, 4:30:32 PM
Last enriched: 4/6/2026, 4:47:34 PM
Last updated: 4/7/2026, 7:10:28 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.