CVE-2026-41327

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.3

Description An issue exists in Dgraph that allows an unauthenticated attacker to gain full read access to all data in the database. This occurs in the default configuration where Access Control Lists (ACL) are disabled. The flaw is a DQL injection located in the /mutate?commitNow=true endpoint. By sending a crafted cond variable within an upsert mutation, an attacker can inject an additional DQL query block. This happens because the cond value is concatenated directly into a DQL query string via the strings.Builder.WriteString function after only a cosmetic transformation, without proper escaping, parameterization, or structural validation. The injected query executes on the server, and the results are returned in the HTTP response. Even when ACL is enabled, users with mutation-only permissions can use this method to bypass per-predicate ACL authorization.

Recommendations Update to version 25.3.3. As a temporary workaround, enable ACL to restrict unauthenticated access to the /mutate endpoint.