CRITICAL🇵🇱 Wersja polska

CVE-2026-34976

CVSS 10.0v3.1pub. 2026-04-06upd. 2026-04-22

Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.

🤖 AI Analysis
How it works

The restoreTenant mutation was not included in the authorization middleware configuration (admin.go file), making it completely devoid of any authentication mechanism — in contrast to the similar restore mutation, which requires Guardian-of-Galaxy level authentication. An attacker can pass backup source URLs controlled by themselves to the mutation, including file:// schemes enabling access to the local file system, S3/MinIO credentials, encryption key file paths, and Vault credential file paths. The request can be sent without any authorization headers directly to the administrative interface.

Impact

An unauthenticated attacker can completely overwrite the database, read arbitrary files on the server side (including encryption keys and configuration files), and perform SSRF attacks on internal network infrastructure. In practice, this results in complete loss of confidentiality, integrity, and availability of data.

Mitigation & patch

Dgraph should be updated to version 25.3.1, where the vulnerability has been fixed. Until the update is applied, it is recommended to restrict network access to the Dgraph administrative interface only to trusted hosts using a firewall or network rules.

Who is affected

Dgraph in versions prior to 25.3.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Dgraph

    APP
    Dgraph
    ≤ 25.3.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRFAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-41327CRITICAL9.1PL ✓ten sam produkt

Dgraph — wstrzyknięcie zapytania DQL umożliwia nieautoryzowany odczyt danych

CVE-2026-41328CRITICAL9.1PL ✓ten sam produkt

DQL injection w Dgraph — nieuwierzytelniony pełny odczyt bazy danych

CVE-2026-41492CRITICAL9.8PL ✓ten sam produkt

Dgraph: ujawnienie tokenu admina przez endpoint /debug/vars bez uwierzytelnienia

CVE-2026-40173CRITICAL9.4PL ✓ten sam produkt

Dgraph: ujawnienie tokenu admina przez niezabezpieczony endpoint /debug/pprof/cmdline

CVE-2023-31135LOW3.3ten sam produkt

Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute forc...