CVE-2026-41327: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in dgraph-io dgraph
A critical vulnerability (CVE-2026-41327) exists in dgraph-io dgraph versions prior to 25. 3. 3 where an unauthenticated attacker can gain full read access to all data in the database. This occurs due to improper neutralization of special elements in data query logic (CWE-943) in the cond field of an upsert mutation. The vulnerability arises because the cond value is concatenated directly into a DQL query string without proper escaping or validation, allowing injection of additional query blocks. The issue affects default configurations without ACL enabled. The vulnerability is fixed in version 25. 3. 3.
AI Analysis
Technical Summary
Dgraph, an open source distributed GraphQL database, has a critical vulnerability (CVE-2026-41327) affecting versions before 25.3.3. The flaw is an improper neutralization of special elements in data query logic (CWE-943) where the cond field in an upsert mutation is concatenated into a DQL query string without sufficient sanitization. This allows an unauthenticated attacker to inject additional DQL query blocks, which are executed server-side and return data in the HTTP response. The attack requires a single crafted HTTP POST request to /mutate?commitNow=true. The vulnerability impacts default configurations where ACL is not enabled. The issue is resolved in version 25.3.3.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to gain full read access to every piece of data stored in the affected Dgraph database instances running versions prior to 25.3.3 with default ACL settings disabled. This compromises confidentiality but does not affect data integrity or availability. The vulnerability has a CVSS score of 9.1 (critical). There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in Dgraph version 25.3.3. Users should upgrade to version 25.3.3 or later to remediate the issue. Since no official patch links or vendor advisory content are provided, patch status is inferred from the description stating the fix is in 25.3.3. Until upgraded, enabling ACL (Access Control Lists) can mitigate exposure by restricting unauthenticated access. Monitor vendor channels for official advisories and patches.
CVE-2026-41327: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in dgraph-io dgraph
Description
A critical vulnerability (CVE-2026-41327) exists in dgraph-io dgraph versions prior to 25. 3. 3 where an unauthenticated attacker can gain full read access to all data in the database. This occurs due to improper neutralization of special elements in data query logic (CWE-943) in the cond field of an upsert mutation. The vulnerability arises because the cond value is concatenated directly into a DQL query string without proper escaping or validation, allowing injection of additional query blocks. The issue affects default configurations without ACL enabled. The vulnerability is fixed in version 25. 3. 3.
CVSS v3.1
Score 9.1critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dgraph, an open source distributed GraphQL database, has a critical vulnerability (CVE-2026-41327) affecting versions before 25.3.3. The flaw is an improper neutralization of special elements in data query logic (CWE-943) where the cond field in an upsert mutation is concatenated into a DQL query string without sufficient sanitization. This allows an unauthenticated attacker to inject additional DQL query blocks, which are executed server-side and return data in the HTTP response. The attack requires a single crafted HTTP POST request to /mutate?commitNow=true. The vulnerability impacts default configurations where ACL is not enabled. The issue is resolved in version 25.3.3.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to gain full read access to every piece of data stored in the affected Dgraph database instances running versions prior to 25.3.3 with default ACL settings disabled. This compromises confidentiality but does not affect data integrity or availability. The vulnerability has a CVSS score of 9.1 (critical). There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in Dgraph version 25.3.3. Users should upgrade to version 25.3.3 or later to remediate the issue. Since no official patch links or vendor advisory content are provided, patch status is inferred from the description stating the fix is in 25.3.3. Until upgraded, enabling ACL (Access Control Lists) can mitigate exposure by restricting unauthenticated access. Monitor vendor channels for official advisories and patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T14:01:46.672Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebbba787115cfb68655cc3
Added to database: 4/24/2026, 6:51:19 PM
Last enriched: 5/1/2026, 8:42:07 PM
Last updated: 6/9/2026, 2:53:19 PM
Views: 120
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.