CVE-2026-41327: Dgraph GraphQL Database Critical Unauthenticated Data Read
A critical vulnerability, CVE-2026-41327, has been identified in Dgraph, an open-source distributed GraphQL database. The National Vulnerability Database reports that prior to version 25.3.3, an unauthenticated attacker can achieve full read access to all data within the database. This exploit leverages Dgraph’s default configuration where Access Control Lists (ACLs) are not enabled, making many deployments vulnerable out-of-the-box.
The attack vector involves a single HTTP POST request to /mutate?commitNow=true containing a specially crafted cond field within an upsert mutation. The National Vulnerability Database explains that the cond value is directly concatenated into a DQL query string, lacking proper escaping, parameterization, or structural validation. This allows an attacker to inject an additional DQL query block, which the parser accepts and executes server-side, returning its results in the HTTP response. This flaw, classified as CWE-943, carries a CVSS score of 9.1 (CRITICAL).
This is a severe data exposure risk. Defenders must understand that the simplicity of the attack, coupled with its unauthenticated nature and critical impact, makes Dgraph instances without ACLs a prime target. The fix is available in Dgraph version 25.3.3, and immediate patching is non-negotiable for anyone running earlier versions.
What This Means For You
- If your organization uses Dgraph, you are exposed. Immediately verify your Dgraph version; if it's prior to 25.3.3 and ACLs are not enabled, you have an unauthenticated data breach waiting to happen. Patch to 25.3.3 or newer, and enable ACLs as a fundamental security control.
Related ATT&CK Techniques
🛡️ Detection Rules
7 rules · 6 SIEM formats7 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-41327
title: Web Application Exploitation Attempt — CVE-2026-41327
id: scw-2026-04-24-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-41327 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41327/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-41327
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41327 | Information Disclosure | Dgraph versions prior to 25.3.3 |
| CVE-2026-41327 | Information Disclosure | Unauthenticated HTTP POST to /mutate?commitNow=true with crafted 'cond' field in upsert mutation |
| CVE-2026-41327 | Code Injection | DQL query injection via 'cond' field due to lack of escaping/parameterization in strings.Builder.WriteString |
| CVE-2026-41327 | Misconfiguration | Dgraph default configuration where ACL is not enabled |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-04-24
12 vulnerability disclosures (3 Critical, 9 High) and 3 curated intelligence stories from 2 sources.
Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars
CVE-2026-41492 — Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on...
CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse
CVE-2026-41421 — SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer....