CVE-2026-44840 is a high-severity security vulnerability in github.com/dgraph-io/dgraph/v25 (go), affecting versions <= 25.3.3. It is fixed in 25.3.4.
Summary The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL checkpwd() query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks. Details Vulnerable Code Path The vulnerability exists in the GraphQL-to-DQL query rewriting layer: queryrewriter.go (~line 364), The checkpwd() DQL function is constructed using fmt.Sprintf: go fmt.Sprintf(checkpwd(User.password, "%s"), password) The raw password string from the GraphQL query input is embedded directly into the DQL query without escaping double quotes or other special characters. graphquery.go, The constructed query attribute is serialized into the final DQL string via b.WriteString(query.Attr), passing the unsanitized content directly to the Dgraph query engine. Attack Mechanism A password value containing a double-quote (") terminates the string literal in the checkpwd() function. Any content after the escaped quote is parsed as additional DQL, allowing the attacker to inject arbitrary query blocks. Distinction from CVE-2026-41328 and CVE-2026-41327 CVE-2026-41328 and CVE-2026-41327 address DQL injection in edgraph/server.go, where GraphQL mutation inputs (upsert/delete) are embedded unsafely into DQL mutations. Those fixes sanitize the mutation path. This vulnerability is in a completely different code path, the GraphQL query rewriter (queryrewriter.go → graphquery.go). The checkUserPassword GraphQL query triggers a DQL query via checkpwd(), and this query construction was not covered by the patches for CVE-2026-41328/CVE-2026-41327. PoC What to observe: The toucheduids field in the extensions section of the response will be elevated (indicating the injected blocks executed) Dgraph server logs (dgraph alpha output) will show the injected query blocks being parsed and executed The response itself may be filtered by the GraphQL layer, but server-side execution is confirmed Impact Data enumeration: Injected query blocks execute server-side and can probe for the existence of predicates, types, and nodes via toucheduids metrics and server logs. Schema discovery: An attacker can enumerate all predicates and types in the database by injecting schema {} blocks or has() queries. Resource exhaustion: Expensive injected queries (recursive traversals, large aggregations) execute at the DQL layer, consuming server resources regardless of whether results are returned to the attacker. Potential data disclosure: Depending on Dgraph configuration (e.g., debug mode, custom extensions), injected query results may leak into the response. CVSS 3.1: 7.5 High, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Network-accessible via any GraphQL endpoint No authentication required (checkUserPassword is an unauthenticated query) Low attack complexity (single crafted HTTP request) High confidentiality impact (server-side query execution confirmed, data enumeration possible) Affected Versions All versions of Dgraph that include GraphQL support with the @secret directive are affected: <= v25.3.3 Any version where query_rewriter.go constructs checkpwd() via string interpolation Suggested Fix Escape or parameterize the password value before embedding it in the DQL query. At minimum, double-quote characters in the password must be escaped: Ideally, Dgraph should implement parameterized query support for the checkpwd() function to avoid string interpolation entirely, consistent with best practices for injection prevention. Credit Kai Aizen ([email protected])
CVE-2026-44840 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (25.3.4). Upgrading removes the vulnerable code path.
go
github.com/dgraph-io/dgraph/v25 (<= 25.3.3)github.com/dgraph-io/dgraph/v25 → 25.3.4 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-44840 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-44840 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-44840 in your environment →Upgrade github.com/dgraph-io/dgraph/v25 to 25.3.4 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-44840 is a high-severity security vulnerability in github.com/dgraph-io/dgraph/v25 (go), affecting versions <= 25.3.3. It is fixed in 25.3.4.
CVE-2026-44840 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/dgraph-io/dgraph/v25 (go) versions <= 25.3.3 is affected.
Yes. CVE-2026-44840 is fixed in 25.3.4. Upgrade to this version or later.
Whether CVE-2026-44840 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/dgraph-io/dgraph/v25 to 25.3.4 or later.