External risk intelligence

Dgraph database allows attackers full access to all customer data without authentication

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-41328

An external attacker can exploit a flaw in the Dgraph database to bypass security and gain full access to all stored information. This allows unauthorized parties to steal or expose sensitive organizational data, resulting in a potential total breach of critical business records.

2Halo Surface Signal

Dgraph

before 25.3.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-41328

Dgraph is a backend database service typically deployed within private or internal network segments. While the vulnerability exposes management endpoints on port 8080, direct exposure of database services to the public internet is a network misconfiguration rather than a standard or intended deployment pattern.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in Dgraph allows unauthenticated attackers to gain full read access to all data within the database. This issue arises from improper handling of user-supplied input in specific unauthenticated API requests, making it a significant risk for organizations using Dgraph without proper security configurations.

  • Unauthenticated remote attackers can read all data.
  • Affects default configurations without enabled access controls.
  • Requires two specific HTTP POST requests.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending two unauthenticated HTTP POST requests to a Dgraph instance. The first request alters the schema to create a specific predicate, and the second sends a crafted mutation. This allows the attacker to inject and execute arbitrary DQL queries on the server, granting them full read access to all data in the database.

  • Unauthenticated access required
  • Targets Dgraph's /alter and /mutate endpoints
  • Exploits schema predicate injection

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to gain read access to all data in a Dgraph database if ACLs are not enabled, requiring only two HTTP POST requests to exposed endpoints. Attackers may favor this vulnerability due to its critical impact of complete data exfiltration and its apparent ease of exploitation, provided the targeted Dgraph instance is accessible over the network and not secured by default. However, the primary detractor is its likely limited scope, as Dgraph is typically deployed internally and not directly exposed to the internet.

  • Exploitation requires network access.
  • Dgraph typically internal.
  • Unauthenticated data read access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of Dgraph to version 25.3.3 to address the critical unauthenticated data access vulnerability. If patching is not feasible, isolate affected Dgraph instances from untrusted networks to prevent exploitation.

  • Apply Dgraph version 25.3.3.
  • Restrict network access to port 8080.
  • Monitor traffic for suspicious DQL injection patterns.

Frequently asked questions

What is the impact of CVE-2026-41328 on Dgraph databases?

CVE-2026-41328 allows an unauthenticated attacker to gain full read access to all data in a Dgraph database. This occurs when the database is using its default configuration where Access Control Lists (ACLs) are not enabled.

How can an attacker exploit the Dgraph vulnerability?

An attacker can exploit this vulnerability by sending two unauthenticated HTTP POST requests to a Dgraph instance. The first request modifies the schema, and the second sends a crafted mutation to port 8080. This allows for DQL injection, leading to server-side query execution and data exfiltration.

What weakness class does CVE-2026-41328 fall under?

This vulnerability is classified under CWE-943, which relates to general SQL injection. In this specific case, it's a DQL (Dgraph Query Language) injection within the database schema and mutation handling.

What is the relevance of the Halo Surface Signal score for this Dgraph vulnerability?

The Halo Surface Signal score indicates this vulnerability is 'Unlikely' to be exploited in the wild. This is because Dgraph is typically deployed internally, and direct exposure of database services to the internet is considered a misconfiguration rather than a standard deployment.

What is the recommended practical response to the Dgraph vulnerability?

The primary recommendation is to immediately update Dgraph to version 25.3.3, which contains the fix for this vulnerability. If immediate patching is not possible, restrict network access to the affected Dgraph instances, specifically port 8080, to prevent unauthorized access. Monitoring network traffic for suspicious DQL injection patterns is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified