Data Exposure Vulnerability in Dgraph Open Source Database
CVE-2026-41327

9.1CRITICAL

Key Information:

Vendor: Dgraph-io
Status: Dgraph
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41327?

A significant vulnerability exists in Dgraph, an open-source distributed GraphQL database, where an unauthenticated attacker can gain unrestricted read access to all data. This issue arises from the default configuration lacking access control lists (ACL). An attacker must send a specially crafted HTTP POST request to the /mutate endpoint with a malicious cond field in an upsert mutation. The vulnerability stems from inadequate handling of the cond parameter, which is directly concatenated into a DQL query string. This critical oversight allows an attacker to inject additional DQL query blocks, leading to unauthorized data exposure. This issue has been resolved in Dgraph version 25.3.3, highlighting the importance of upgrading to secure configurations.

Affected Version(s)

dgraph < 25.3.3

References

https://github.com/dgraph-io/dgraph/security/advisories/G...

x_refsource_CONFIRM

https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41327 Data

JSON

Dgraph-io

What is CVE-2026-41327?

Affected Version(s)

References

CVSS V3.1

Timeline