CVE-2026-34976

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.1

Description Dgraph is vulnerable to an authentication bypass flaw in the 'restoreTenant' admin mutation. This mutation lacks proper authorization middleware, allowing unauthenticated attackers to overwrite the entire database, read server-side files, and perform Server-Side Request Forgery (SSRF). The vulnerability allows attackers to leverage attacker-controlled backup source URLs, including 'file://' for local filesystem access, and S3/MinIO credentials. Exploitation can lead to complete data loss, data exfiltration, and potential full system compromise. The 'restoreTenant' mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. The API endpoint ''/admin'' is affected. Vulnerable parameters include the location parameter for backup URLs, accessKey, secretKey, vaultAddr, vaultRoleIDFile, and vaultSecretIDFile.

Recommendations Update to version 25.3.1 or later. Isolate Dgraph admin endpoints from public internet access and restrict access to trusted IPs. Monitor and block 'restoreTenant' requests at the network/WAF layer. Rotate exposed credentials and inspect/restore from known-good offline backups. Restrict egress to block SSRF to metadata/internal endpoints. Enable centralized audit logging.