CVE-2026-41327 is a critical-severity security vulnerability in github.com/dgraph-io/dgraph/v25 (go), affecting versions < 25.3.3. It is fixed in 25.3.3.
Executive Summary A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. There are no credentials involved. When ACL is disabled (the default), the /mutate endpoint requires no authentication. The authorizeQuery and authorizeMutation functions both return nil immediately when AclSecretKey is not configured. Even when ACL is enabled, a user with mutation-only permission can inject read queries that bypass per-predicate ACL authorization, because the injected query block is not subject to the normal authorization flow. POC clip: https://github.com/user-attachments/assets/edf43615-b0d5-46cd-abd9-2cb9423790d2 CVSS Score CVSS 3.1: 9.1 (Critical) | Metric | Value | Rationale | | ------------------- | --------- | ---------------------------------------------------------------------------------- | | Attack Vector | Network | HTTP POST to port 8080 | | Attack Complexity | Low | Single request, no special conditions beyond default config | | Privileges Required | None | No authentication when ACL is disabled (default) | | User Interaction | None | Fully automated | | Scope | Unchanged | Stays within the Dgraph data layer | | Confidentiality | High | Full database exfiltration: all nodes, all predicates, all values | | Integrity | High | The injection can also be used to manipulate upsert conditions, bypassing uniqueness constraints and conditional mutation logic | | Availability | None | No denial of service | Vulnerability Summary | Field | Value | | --------- | ------------------------------------------------------------------------------------------ | | Title | Pre-Auth DQL Injection via Unsanitized Cond Field in Upsert Mutations | | Type | Injection | | CWE | CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) | | CVSS | 9.8 | Target Information | Field | Value | | -------------------- | ---------------------------------------------------------------------------------------------- | | Project | Dgraph | | Repository | https://github.com/dgraph-io/dgraph | | Tested version | v25.3.0 | | HTTP handler | dgraph/cmd/alpha/http.go line 345 (mutationHandler) | | Cond extraction | dgraph/cmd/alpha/http.go line 413 (strconv.Unquote) | | Cond passthrough | edgraph/server.go line 2011 (ParseMutationObject, copies mu.Cond verbatim) | | Injection sink | edgraph/server.go line 750 (upsertQB.WriteString(cond)) | | Only transformation | edgraph/server.go line 730 (strings.Replace(gmu.Cond, "@if", "@filter", 1)) | | Auth bypass (query) | edgraph/access.go line 958 (authorizeQuery returns nil when AclSecretKey == nil) | | Auth bypass (mutate) | edgraph/access.go line 788 (authorizeMutation returns nil when AclSecretKey == nil) | | Response exfiltration| dgraph/cmd/alpha/http.go line 498 (mp["queries"] = json.RawMessage(resp.Json)) | | HTTP port | 8080 (default) | | Prerequisite | None. Default configuration. ACL disabled is the default. | Test Environment | Component | Version / Details | | -------------------- | --------------------------------------------------------------- | | Host OS | macOS (darwin 25.3.0) | | Dgraph | v25.3.0 via dgraph/dgraph:latest Docker image | | Docker Compose | 1 Zero + 1 Alpha, default config, --security whitelist=0.0.0.0/0 | | Python | 3.x with requests | | Network | localhost (127.0.0.1) | Vulnerability Detail Location: edgraph/server.go lines 714-757 (buildUpsertQuery) CWE: CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) The /mutate endpoint accepts JSON bodies containing a mutations array. Each mutation can include a cond field, intended for conditional upserts with syntax like @if(eq(name, "Alice")). This condition is supposed to be spliced into the DQL query as a @filter clause on a dummy var(func: uid(0)) block. The handler at http.go:413 extracts the cond value via strconv.Unquote, which interprets \n as actual newlines but performs no sanitization: ParseMutationObject at server.go:2011 copies it verbatim: buildUpsertQuery at server.go:730 applies one cosmetic replacement then concatenates the raw string directly into the DQL query: There is no escaping, no parameterization, no structural validation, and no character allowlist between the HTTP input and the query string concatenation. An attacker crafts a cond value that closes the @filter(...) clause and opens an entirely new named query block: After buildUpsertQuery processes this, the resulting DQL is: The DQL parser (dql.ParseWithNeedVars) accepts multiple query blocks within a single {} container. It parses leak(...) as a legitimate named query. The validateResult function at parser.go:740 only checks for duplicate aliases and explicitly skips var queries. The injected query uses a unique alias, so validation passes. All three queries execute. The results of the injected leak block are serialized to JSON and returned to the attacker at http.go:498: The @if condition evaluates to false ("nonexistent" matches nothing), so the set mutation never actually writes data. The attack is a pure read disguised as a mutation. No data is modified. Full Chain Explanation The attacker has no Dgraph credentials and no prior access to the server. Step 1. The attacker sends one HTTP request: No X-Dgraph-AccessToken header. No X-Dgraph-AuthToken header. The /mutate endpoint has no authentication wrapper in default configuration. Step 2. mutationHandler at http.go:345 calls readRequest to get the body, then extractMutation which calls strconv.Unquote on the cond field. The \n becomes a real newline. The result is stored in api.Mutation.Cond. Step 3. The request enters edgraph.Server.QueryNoGrpc at http.go:471, which calls doQuery -> parseRequest -> ParseMutationObject. The Cond is copied verbatim to dql.Mutation.Cond at server.go:2011. Step 4. buildUpsertQuery at server.go:714 processes the condition. The only transformation is strings.Replace(gmu.Cond, "@if", "@filter", 1) at line 730. The full string, including the injected leak(...) block, is written into the query builder at line 750. Step 5. dql.ParseWithNeedVars parses the constructed DQL string. It encounters three query blocks: q, the upsert check var, and the injected leak. All three are accepted as valid DQL. Step 6. authorizeQuery at access.go:958 returns nil immediately because AclSecretKey == nil (ACL not configured). No predicate-level authorization is performed. Step 7. processQuery executes all three query blocks. The leak block traverses every node with a dgraph.type predicate and returns all requested fields. Step 8. The response is returned to the attacker at http.go:498. The data.queries.leak array contains every matching node with all their predicates, including secrets, credentials, and PII. Proof of Concept Files | File | Purpose | | ----------------------- | ---------------------------------------------------------- | | report.md | This vulnerability report | | poc.py | Exploit: sends the injection and prints leaked data | | docker-compose.yml | Spins up a Dgraph cluster (1 Zero + 1 Alpha, default config) | | DGraphPreAuthDQL.mp4 | Screen recording of the full attack from start to exfiltration | POC files zip: LEAD001DQL.zip poc.py The exploit sends a single POST to /mutate?commitNow=true with the crafted cond field. It parses the response and prints all exfiltrated records, highlighting secrets, AWS credentials, and GCP service account keys. Tested Output Steps to Reproduce Prerequisites Python 3 with requests (pip install requests) Docker and Docker Compose Step 1: Start Dgraph Wait for health: Step 2: Seed test data Step 3: Run the exploit What to verify HTTP POST returns 200 (endpoint is reachable without auth) Response contains data.queries.leak with an array of nodes The nodes include fields the attacker never queried through legitimate means (secrets, AWS keys, GCP keys) No data was modified in the database (the @if condition prevents the set from executing) Mitigations and Patch Location: edgraph/server.go, buildUpsertQuery (line 714) Instead of concatenating the raw cond string into the DQL query, buildUpsertQuery should parse the cond value with the DQL lexer and construct the @filter as a parsed AST subtree. This eliminates the injection surface entirely because the filter is built programmatically rather than spliced in as a raw string. The existing strings.Replace(gmu.Cond, "@if", "@filter", 1) at line 730 is a semantic transformation, not a security control, and should not be relied upon for sanitization.
CVE-2026-41327 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (25.3.3). Upgrading removes the vulnerable code path.
go
github.com/dgraph-io/dgraph/v25 (< 25.3.3)github.com/dgraph-io/dgraph/v24 (<= 24.1.8)github.com/dgraph-io/dgraph (<= 1.2.8)github.com/dgraph-io/dgraph/v25 → 25.3.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-41327 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-41327 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-41327 in your environment →Upgrade github.com/dgraph-io/dgraph/v25 to 25.3.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-41327 is a critical-severity security vulnerability in github.com/dgraph-io/dgraph/v25 (go), affecting versions < 25.3.3. It is fixed in 25.3.3.
CVE-2026-41327 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/dgraph-io/dgraph/v25 (go) (versions < 25.3.3)github.com/dgraph-io/dgraph/v24 (go) (versions <= 24.1.8)github.com/dgraph-io/dgraph (go) (versions <= 1.2.8)Yes. CVE-2026-41327 is fixed in 25.3.3. Upgrade to this version or later.
Whether CVE-2026-41327 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/dgraph-io/dgraph/v25 to 25.3.3 or later.