Cyber Resilience

CVE-2026-34976

CriticalPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0045 35.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34976 is a critical-severity Missing Authorization (CWE-862) vulnerability in Dgraph Dgraph. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34976 affects Dgraph, an open source distributed GraphQL database, in versions prior to 25.3.1. The vulnerability stems from the restoreTenant admin mutation being omitted from the authorization middleware configuration in admin.go, rendering it completely unauthenticated. Unlike the similar restore mutation, which requires Guardian-of-Galaxy authentication, restoreTenant executes without any middleware checks. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An unauthenticated attacker with network access to the Dgraph instance can exploit this by invoking the restoreTenant mutation, supplying attacker-controlled backup source URLs—including file:// for local filesystem access—along with S3/MinIO credentials, encryption key file paths, and Vault credential file paths. Successful exploitation enables overwriting the entire database, reading arbitrary server-side files, and conducting server-side request forgery (SSRF).

The vulnerability is addressed in Dgraph version 25.3.1, as detailed in the GitHub security advisory (GHSA-p5rh-vmhp-gvcw). Security practitioners should upgrade to 25.3.1 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero…

more

middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Unauthenticated restoreTenant mutation on public-facing Dgraph enables T1190 (exploit public-facing app), T1005 (arbitrary local file reads via file:// and key paths), and T1485 (database overwrite for data destruction); SSRF is a byproduct but not a direct technique match.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41492Same product: Dgraph Dgraph
CVE-2026-41328Same product: Dgraph Dgraph
CVE-2026-41327Same product: Dgraph Dgraph
CVE-2026-40173Same product: Dgraph Dgraph
CVE-2025-68547Shared CWE-862
CVE-2020-36852Shared CWE-862
CVE-2026-32817Shared CWE-862
CVE-2025-22657Shared CWE-862
CVE-2026-25808Shared CWE-862
CVE-2026-25443Shared CWE-862

Affected Assets

dgraph
dgraph
≤ 25.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources in accordance with policy, directly mitigating the unauthenticated restoreTenant mutation.

prevent

Limits and controls specific actions performable without identification or authentication, preventing exposure of high-risk restoreTenant operations to unauthenticated attackers.

prevent

Restricts privileges to the minimum necessary, ensuring admin mutations like restoreTenant require explicit authorization beyond basic access.

References