Dgraph patches unauthenticated restoreTenant admin mutation takeover

2 min readPublished 06 Apr 2026Updated 06 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-34976 News Database Security GraphQL

TL;DR — A pre-auth Dgraph admin GraphQL auth bypass lets attackers trigger restoreTenant to overwrite the database and pivot into SSRF and server-side file reads via backup-restore inputs.

What happened

Dgraph is an open-source distributed GraphQL database that exposes an administrative GraphQL endpoint for cluster and data management.

CVE-2026-34976 describes a Critical (CVSS 10.0) issue where the restoreTenant admin mutation is missing authorization middleware, making it reachable without authentication. The advisory notes restoreTenant executes with “zero middleware” and can accept attacker-controlled restore inputs such as backup source URLs (including file://), S3/MinIO credentials, encryption key file paths, and Vault credential file paths.

Operationally, this is the worst-case failure mode for “backup/restore” control planes: a single unauthenticated admin mutation can enable data destruction / data overwrite, plus network and filesystem reach from the database’s runtime position (often inside Kubernetes/VPC networks).

Who is impacted

Deployments exposing Dgraph’s admin endpoint to untrusted networks.
Dgraph versions reported as affected in the CVE record and vendor advisory.

Source	Affected versions	Patch status as stated by source
CVE record	`< 25.3.1`	“fixed in `25.3.1`”
GitHub Security Advisory `GHSA-p5rh-vmhp-gvcw`	`<= v25.3.0`	“Patched versions: None”

If you rely on the advisory feed for automation, note the patch-status mismatch above and validate what is actually deployed in your fleet (images, Helm charts, manifests, and GitOps pins).

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

"This vulnerability is fixed in 25.3.1."
If you build from source or need an immediate backport, follow the vendor advisory’s fix guidance for restoring the missing auth middleware mapping:

"Add restoreTenant to adminMutationMWConfig:"
Reduce exposure while rolling out a fix:
- ensure the admin endpoint is not internet-exposed (network policies, security groups, ingress allowlists)
- review access paths to /admin and audit for unexpected restoreTenant usage
Treat exposed instances as high-risk:
- validate database integrity and configuration (including restore configuration and any referenced secret/file paths)
- if compromise is suspected, rotate credentials reachable by the Dgraph runtime (e.g., S3/MinIO, Vault, Kubernetes service account tokens) based on your environment’s specific wiring

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.