CVE-2026-34976: CWE-862: Missing Authorization in dgraph-io dgraph
CVE-2026-34976 is a critical authorization bypass vulnerability in dgraph-io's open source distributed GraphQL database, dgraph, affecting versions prior to 25. 3. 1. The restoreTenant admin mutation lacks authorization middleware, allowing unauthenticated attackers to execute it without restriction. This mutation accepts attacker-controlled inputs such as backup source URLs, S3/MinIO credentials, encryption key file paths, and Vault credential file paths. Exploitation can lead to full database overwrite, server-side file reading, and server-side request forgery (SSRF). The vulnerability is fixed in version 25. 3. 1. The product is a cloud service, and the vendor manages remediation for the hosted service.
AI Analysis
Technical Summary
Dgraph versions before 25.3.1 contain a missing authorization check (CWE-862) in the restoreTenant admin mutation. Unlike the similar restore mutation that requires Guardian-of-Galaxy authentication, restoreTenant executes without any middleware, allowing unauthenticated attackers to invoke it. The mutation accepts parameters that can be manipulated to overwrite the entire database, read sensitive server files, and perform SSRF attacks. This vulnerability is addressed in dgraph version 25.3.1. The vulnerability affects both on-premises and cloud deployments, with the vendor managing patching for the cloud service.
Potential Impact
An unauthenticated attacker can fully compromise the dgraph database by overwriting data, accessing sensitive server files, and conducting SSRF attacks. This leads to complete confidentiality, integrity, and availability loss of the database and potentially the underlying server environment. The CVSS 3.1 base score is 10.0, reflecting the critical nature of this vulnerability.
Mitigation Recommendations
A fix is available in dgraph version 25.3.1. Users should upgrade to this version to remediate the vulnerability. For the cloud-hosted dgraph service, the vendor manages remediation and patches server-side. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-34976: CWE-862: Missing Authorization in dgraph-io dgraph
Description
CVE-2026-34976 is a critical authorization bypass vulnerability in dgraph-io's open source distributed GraphQL database, dgraph, affecting versions prior to 25. 3. 1. The restoreTenant admin mutation lacks authorization middleware, allowing unauthenticated attackers to execute it without restriction. This mutation accepts attacker-controlled inputs such as backup source URLs, S3/MinIO credentials, encryption key file paths, and Vault credential file paths. Exploitation can lead to full database overwrite, server-side file reading, and server-side request forgery (SSRF). The vulnerability is fixed in version 25. 3. 1. The product is a cloud service, and the vendor manages remediation for the hosted service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dgraph versions before 25.3.1 contain a missing authorization check (CWE-862) in the restoreTenant admin mutation. Unlike the similar restore mutation that requires Guardian-of-Galaxy authentication, restoreTenant executes without any middleware, allowing unauthenticated attackers to invoke it. The mutation accepts parameters that can be manipulated to overwrite the entire database, read sensitive server files, and perform SSRF attacks. This vulnerability is addressed in dgraph version 25.3.1. The vulnerability affects both on-premises and cloud deployments, with the vendor managing patching for the cloud service.
Potential Impact
An unauthenticated attacker can fully compromise the dgraph database by overwriting data, accessing sensitive server files, and conducting SSRF attacks. This leads to complete confidentiality, integrity, and availability loss of the database and potentially the underlying server environment. The CVSS 3.1 base score is 10.0, reflecting the critical nature of this vulnerability.
Mitigation Recommendations
A fix is available in dgraph version 25.3.1. Users should upgrade to this version to remediate the vulnerability. For the cloud-hosted dgraph service, the vendor manages remediation and patches server-side. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T19:38:31.617Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d3dfa80a160ebd92c701db
Added to database: 4/6/2026, 4:30:32 PM
Last enriched: 4/14/2026, 3:57:32 PM
Last updated: 5/22/2026, 1:43:49 AM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.