Unauthenticated Data Access Vulnerability in Dgraph Database
CVE-2026-41328

9.1CRITICAL

Key Information:

Vendor: Dgraph-io
Status: Dgraph
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41328?

Dgraph, an open-source distributed GraphQL database, exhibits a vulnerability allowing unauthenticated attackers to gain unrestricted read access to all database content. This issue arises due to the default configuration lacking Access Control Lists (ACL) in versions prior to 25.3.3. An attacker can exploit this flaw by issuing two unauthenticated HTTP POST requests to port 8080. The initial request sets up a malicious schema predicate, while the second request submits a crafted JSON mutation that leverages DQL injection techniques. By improperly utilizing values from the predicate name, an attacker can construct and execute arbitrary queries on the server side, exposing sensitive data. This vulnerability has been addressed in version 25.3.3.

Affected Version(s)

dgraph < 25.3.3

References

https://github.com/dgraph-io/dgraph/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41328 Data

JSON

Dgraph-io

What is CVE-2026-41328?

Affected Version(s)

References

CVSS V3.1

Timeline