CVE-2026-41327CRITICAL 9.1EPSS p33.8%

CVE-2026-41327CVE-2026-41327

Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.42% probability of exploitation · percentile 33.8% · 2026-06-19T12:03:05Z
Published2026-04-24
Last modified2026-04-28

Underlying weaknesses· 1

CWE-943

References

  1. https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3
  2. https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77
  3. https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements in Data Query Logiccwe-9430%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41328
CVE
CVE-2026-40173
CVE
CVE-2026-41492
CVE
CVE-2026-34976
CVE
CVE-2026-41422
CVE
CVE-2026-4370
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.