Dgraph Distributed GraphQL Database Vulnerability in User Authentication
CVE-2026-44840
7.5HIGH
What is CVE-2026-44840?
Dgraph, an open-source distributed GraphQL database, is susceptible to a serious security flaw that allows for DQL injection. The vulnerability exists in the 'checkUserPassword' GraphQL query, where malicious actors can exploit user-supplied password values that are improperly handled. By injecting a password containing a double-quote character, an attacker may escape the DQL string literal, enabling them to insert arbitrary DQL query blocks. This issue impacts all versions of Dgraph prior to 25.3.4, which includes essential patches to rectify this security risk.
Affected Version(s)
dgraph < 25.3.4
