CVE-2026-34976
Published: 06 April 2026
Summary
CVE-2026-34976 is a critical-severity Missing Authorization (CWE-862) vulnerability in Dgraph Dgraph. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources in accordance with policy, directly mitigating the unauthenticated restoreTenant mutation.
Limits and controls specific actions performable without identification or authentication, preventing exposure of high-risk restoreTenant operations to unauthenticated attackers.
Restricts privileges to the minimum necessary, ensuring admin mutations like restoreTenant require explicit authorization beyond basic access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated restoreTenant mutation on public-facing Dgraph enables T1190 (exploit public-facing app), T1005 (arbitrary local file reads via file:// and key paths), and T1485 (database overwrite for data destruction); SSRF is a byproduct but not a direct technique match.
NVD Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero…
more
middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.
Deeper analysisAI
CVE-2026-34976 affects Dgraph, an open source distributed GraphQL database, in versions prior to 25.3.1. The vulnerability stems from the restoreTenant admin mutation being omitted from the authorization middleware configuration in admin.go, rendering it completely unauthenticated. Unlike the similar restore mutation, which requires Guardian-of-Galaxy authentication, restoreTenant executes without any middleware checks. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
An unauthenticated attacker with network access to the Dgraph instance can exploit this by invoking the restoreTenant mutation, supplying attacker-controlled backup source URLs—including file:// for local filesystem access—along with S3/MinIO credentials, encryption key file paths, and Vault credential file paths. Successful exploitation enables overwriting the entire database, reading arbitrary server-side files, and conducting server-side request forgery (SSRF).
The vulnerability is addressed in Dgraph version 25.3.1, as detailed in the GitHub security advisory (GHSA-p5rh-vmhp-gvcw). Security practitioners should upgrade to 25.3.1 or later to mitigate the issue.
Details
- CWE(s)