Unauthenticated Access in Dgraph's RestoreTenant Mutation
CVE-2026-34976

10CRITICAL

Key Information:

Vendor: Dgraph-io
Status: Dgraph
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34976?

Dgraph, an open-source distributed GraphQL database, has a significant vulnerability related to its restoreTenant admin mutation. Prior to version 25.3.1, this mutation lacked proper authorization checks, allowing unauthenticated attackers to exploit it. Unlike the similar restore mutation, which requires user authentication, restoreTenant operates with no middleware, exposing critical functions. Attackers can manipulate backup source URLs, which may include local files using 'file://', and leverage S3/MinIO credentials, encryption key file paths, and Vault credential file paths. This oversight gives malicious users the ability to overwrite entire databases, read sensitive server-side files, and conduct server-side request forgery (SSRF) attacks. The vulnerability has been addressed in version 25.3.1, highlighting the importance of rigorous security practices in database management.

Affected Version(s)

dgraph < 25.3.1

References

https://github.com/dgraph-io/dgraph/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34976 Data

JSON

Dgraph-io

What is CVE-2026-34976?

Affected Version(s)

References

CVSS V3.1

Timeline