Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.
The restoreTenant mutation was not included in the authorization middleware configuration (admin.go file), making it completely devoid of any authentication mechanism — in contrast to the similar restore mutation, which requires Guardian-of-Galaxy level authentication. An attacker can pass backup source URLs controlled by themselves to the mutation, including file:// schemes enabling access to the local file system, S3/MinIO credentials, encryption key file paths, and Vault credential file paths. The request can be sent without any authorization headers directly to the administrative interface.
An unauthenticated attacker can completely overwrite the database, read arbitrary files on the server side (including encryption keys and configuration files), and perform SSRF attacks on internal network infrastructure. In practice, this results in complete loss of confidentiality, integrity, and availability of data.
Dgraph should be updated to version 25.3.1, where the vulnerability has been fixed. Until the update is applied, it is recommended to restrict network access to the Dgraph administrative interface only to trusted hosts using a firewall or network rules.
Dgraph in versions prior to 25.3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HDgraph
APPDgraph≤ 25.3.0
Related vulnerabilities
Dgraph — wstrzyknięcie zapytania DQL umożliwia nieautoryzowany odczyt danych
DQL injection w Dgraph — nieuwierzytelniony pełny odczyt bazy danych
Dgraph: ujawnienie tokenu admina przez endpoint /debug/vars bez uwierzytelnienia
Dgraph: ujawnienie tokenu admina przez niezabezpieczony endpoint /debug/pprof/cmdline
Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute forc...