CVE-2026-41327: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in dgraph-io dgraph
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
AI Analysis
Technical Summary
CVE-2026-41327 affects Dgraph, an open source distributed GraphQL database, in versions before 25.3.3. The vulnerability is due to improper neutralization of special elements in data query logic (CWE-943). Specifically, the cond field in an upsert mutation is concatenated directly into a DQL query string without proper escaping, parameterization, or structural validation. An attacker can inject additional DQL query blocks that the parser accepts as valid, resulting in execution of injected queries server-side and exposure of all database data in the HTTP response. This occurs in the default configuration where ACL is disabled. The vulnerability has a CVSS 3.1 score of 9.1 (critical).
Potential Impact
An unauthenticated attacker can perform a single HTTP POST request with a crafted cond field to execute arbitrary DQL queries, gaining full read access to all data in the affected Dgraph database. This compromises confidentiality but does not affect integrity or availability. The impact is critical due to the ease of exploitation and the breadth of data exposure.
Mitigation Recommendations
Upgrade Dgraph to version 25.3.3 or later, where this vulnerability is fixed. Since no official patch links or vendor advisory details are provided, confirm patch availability from the vendor. If upgrading immediately is not possible, enable Access Control Lists (ACL) to restrict unauthenticated access as a temporary mitigation. Patch status is not yet confirmed from vendor advisory; check the vendor's official resources for current remediation guidance.
CVE-2026-41327: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in dgraph-io dgraph
Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41327 affects Dgraph, an open source distributed GraphQL database, in versions before 25.3.3. The vulnerability is due to improper neutralization of special elements in data query logic (CWE-943). Specifically, the cond field in an upsert mutation is concatenated directly into a DQL query string without proper escaping, parameterization, or structural validation. An attacker can inject additional DQL query blocks that the parser accepts as valid, resulting in execution of injected queries server-side and exposure of all database data in the HTTP response. This occurs in the default configuration where ACL is disabled. The vulnerability has a CVSS 3.1 score of 9.1 (critical).
Potential Impact
An unauthenticated attacker can perform a single HTTP POST request with a crafted cond field to execute arbitrary DQL queries, gaining full read access to all data in the affected Dgraph database. This compromises confidentiality but does not affect integrity or availability. The impact is critical due to the ease of exploitation and the breadth of data exposure.
Mitigation Recommendations
Upgrade Dgraph to version 25.3.3 or later, where this vulnerability is fixed. Since no official patch links or vendor advisory details are provided, confirm patch availability from the vendor. If upgrading immediately is not possible, enable Access Control Lists (ACL) to restrict unauthenticated access as a temporary mitigation. Patch status is not yet confirmed from vendor advisory; check the vendor's official resources for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T14:01:46.672Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebbba787115cfb68655cc3
Added to database: 4/24/2026, 6:51:19 PM
Last enriched: 4/24/2026, 7:07:02 PM
Last updated: 4/25/2026, 7:02:31 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.