Dgraph versions before 25.3.3 have a vulnerability due to improper neutralization of special elements in data query logic (CWE-943). In the default configuration without ACL enabled, an unauthenticated attacker can perform two HTTP POST requests to port 8080: first to set up a schema predicate with specific annotations via the /alter endpoint, and second to send a crafted JSON mutation to /mutate?commitNow=true. The vulnerability arises because the addQueryIfUnique function in edgraph/server.go constructs DQL queries using fmt.Sprintf with an unsanitized predicateName that includes a language tag extracted from JSON keys without validation. This allows injection of arbitrary DQL code, leading to unauthorized full read access to the database. The issue is resolved in dgraph version 25.3.3.

An unauthenticated attacker can exploit this vulnerability to gain full read access to all data stored in the affected Dgraph database instances running default configurations without ACL enabled. This compromises confidentiality but does not affect integrity or availability. The vulnerability has a CVSS 3.1 base score of 9.1 (critical), reflecting its ease of exploitation over the network without privileges and its high impact on confidentiality.

This vulnerability is fixed in dgraph version 25.3.3. Users should upgrade to version 25.3.3 or later to remediate this issue. If upgrading immediately is not possible, enabling Access Control Lists (ACL) in the configuration can mitigate the risk by preventing unauthenticated access. Patch status is not explicitly stated in vendor advisory content, but the fix is included in version 25.3.3. Users should consult the official dgraph release notes and advisories for detailed remediation instructions.