Dgraph Distributed GraphQL Database Vulnerability in User Authentication
CVE-2026-44840

7.5HIGH

Key Information:

Vendor

Dgraph-io

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-44840?

Dgraph, an open-source distributed GraphQL database, is susceptible to a serious security flaw that allows for DQL injection. The vulnerability exists in the 'checkUserPassword' GraphQL query, where malicious actors can exploit user-supplied password values that are improperly handled. By injecting a password containing a double-quote character, an attacker may escape the DQL string literal, enabling them to insert arbitrary DQL query blocks. This issue impacts all versions of Dgraph prior to 25.3.4, which includes essential patches to rectify this security risk.

Affected Version(s)

dgraph < 25.3.4

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.