🚨 BREAKING

Dgraph CVE-2026-41328: Unauthenticated Data Read Access Critical Flaw

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-943
Dgraph CVE-2026-41328: Unauthenticated Data Read Access Critical Flaw

A critical vulnerability, CVE-2026-41328, has been identified in Dgraph, an open-source distributed GraphQL database. The National Vulnerability Database reports that versions prior to 25.3.3 are susceptible to unauthenticated full read access to all data. This flaw affects Dgraph’s default configuration where Access Control Lists (ACL) are not enabled, making it a significant risk for deployments that haven’t explicitly hardened their setup.

The attack vector is straightforward, requiring two unauthenticated HTTP POST requests to port 8080. The first request establishes a schema predicate via /alter, and the second sends a crafted JSON mutation to /mutate?commitNow=true. The injection abuses the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName values. Specifically, the Lang field, extracted from JSON mutation keys, is never validated, allowing an attacker to inject arbitrary DQL. This results in server-side query execution and data exfiltration directly in the HTTP response.

This isn’t theoretical; it’s a direct DQL injection that bypasses authentication in a default configuration. The attacker’s calculus here is simple: if Dgraph is exposed on port 8080 with default settings, it’s an open book. Defenders need to recognize that ‘default config’ often means ‘most vulnerable config.’ The fix is in version 25.3.3.

What This Means For You

  • If your organization uses Dgraph, you need to immediately verify your version. If it's prior to 25.3.3 and ACLs are not enabled, assume compromise. Patch to 25.3.3 without delay, and review all Dgraph instances for network exposure on port 8080. This isn't just a potential data leak; it's a full data dump for an unauthenticated attacker.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Persistence T1204.002 Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-41328: Dgraph Unauthenticated Data Read via /alter and /mutate

Sigma YAML — free preview 
title: CVE-2026-41328: Dgraph Unauthenticated Data Read via /alter and /mutate
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
  Detects the two-stage HTTP POST requests to Dgraph on port 8080. The first request targets '/alter' to modify the schema, and the second targets '/mutate' with 'commitNow=true'. The detection specifically looks for characters indicative of the DQL injection payload in the URI of the second request: a closing parenthesis ')', an '@' symbol, and a '#' comment character, which are crucial for exploiting the vulnerability in Dgraph versions prior to 25.3.3.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41328/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection_base:
      cs-method:
          - 'POST'
      dst_port:
          - 8080
  selection_indicators_alter:
      uri|endswith:
          - '/alter'
  selection_indicators_mutate:
      uri|contains:
          - '/mutate'
      cs-uri-query|contains:
          - 'commitNow=true'
  selection_payload:
      cs-uri|contains:
          - ')'
      cs-uri|contains:
          - '@'
      cs-uri|contains:
          - '#'
  condition: selection_base AND selection_indicators_alter AND selection_indicators_mutate AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41328 Information Disclosure Dgraph versions prior to 25.3.3
CVE-2026-41328 Code Injection Dgraph default configuration with ACL not enabled
CVE-2026-41328 Code Injection HTTP POST to /alter on port 8080 to set up schema predicate
CVE-2026-41328 Code Injection HTTP POST to /mutate?commitNow=true on port 8080 with crafted JSON mutation and DQL injection payload in language tag position
CVE-2026-41328 Code Injection Vulnerable function: addQueryIfUnique in edgraph/server.go due to unsanitized pred.Lang value

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 24, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-04-24

12 vulnerability disclosures (3 Critical, 9 High) and 3 curated intelligence stories from 2 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-1321cwe-113cwe-183cwe-441cwe-918critical
/SCW Daily Digest /CRITICAL

Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars

CVE-2026-41492 — Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on...

vulnerabilityCVEcriticalhigh-severitycwe-200
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse

CVE-2026-41421 — SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer....

vulnerabilityCVEhigh-severitycode-executioncwe-78cwe-79
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma