CVE-2026-41328

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.3

Description An issue in Dgraph allows an unauthenticated attacker to gain full read access to all data in the database when the default configuration is used and Access Control Lists (ACL) are not enabled. The flaw is a DQL injection that occurs because the Lang field in JSON mutation keys is not validated.

An attacker can exploit this by sending two HTTP POST requests to port 8080. First, they use the '/alter' endpoint to set up a schema predicate with @unique, @index(exact), and @lang. Second, they send a crafted JSON mutation to the '/mutate?commitNow=true' endpoint. By including a DQL injection payload in the language tag position of a JSON key, the attacker can escape the eq() function and execute arbitrary named query blocks server-side. This process exploits the addQueryIfUnique() function in edgraph/server.go, which uses fmt.Sprintf to construct queries with the unsanitized predicateName variable, including the raw pred.Lang value. The results of the injected query are then returned in the HTTP response.

Recommendations Update to version 25.3.3. As a temporary workaround, enable ACL to prevent unauthenticated access to the '/alter' and '/mutate' endpoints.