JustAppSec
Back to news

Dgraph patches pre-auth DQL injection via upsert cond

2 min readPublished 24 Apr 2026Updated 24 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-41327NewsWeb SecurityDatabases

TL;DR - Dgraph < 25.3.3 can be queried pre-auth: one POST /mutate?commitNow=true with a crafted upsert cond injects DQL and returns arbitrary query results.

What happened

Dgraph is an open source distributed GraphQL database with an HTTP API that supports mutations and upserts.

CVE-2026-41327 is a pre-auth data-exfiltration flaw when ACL is not enabled (the default configuration called out in the record). The attack is a single HTTP POST to /mutate?commitNow=true that supplies a crafted cond field in an upsert mutation.

The core issue is that the cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. There is no escaping, parameterization, or structural validation. An attacker can inject an additional DQL query block into cond; the injected query executes server-side and its results are returned in the HTTP response.

This is high-leverage because it turns a commonly exposed application-facing database API into a full read primitive under default no-ACL deployments.

Who is impacted

  • Dgraph (dgraph-io/dgraph) versions < 25.3.3.
  • Environments running Dgraph with ACL not enabled (called out as the default configuration in the record), where the HTTP API is reachable by untrusted clients.
ItemValue
SeverityCVSS 3.1 9.1 (Critical)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What to do now

  • Follow vendor remediation guidance and apply a release that includes the fix.

    "This vulnerability is fixed in 25.3.3."

  • Inventory Dgraph deployments and confirm whether Alpha HTTP endpoints (notably /mutate) are reachable from the internet or broad internal networks.
  • Treat this as potential data exposure if you were running without ACL and had network exposure:
    • review request logs for unexpected POST traffic to /mutate?commitNow=true
    • specifically flag requests containing suspicious or unusually structured cond values
  • Reduce blast radius while patching where operationally feasible:
    • restrict network access to Dgraph HTTP ports to only trusted callers
    • avoid relying on default no-ACL posture for any Dgraph instance holding sensitive data

Additional Information

CISA ADP vulnrichment for this CVE marks Exploitation: poc and Automatable: yes.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.