CVE-2026-41327
Published: 24 April 2026
Summary
CVE-2026-41327 is a critical-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Dgraph Dgraph. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation by upgrading Dgraph to version 25.3.3 or later directly eliminates the DQL injection vulnerability in the cond field processing.
Requires validation and sanitization of the cond field in upsert mutations to block DQL query injection by unauthenticated attackers.
Enforces approved authorizations such as enabling ACL to prevent unauthenticated access to the /mutate endpoint and data disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Dgraph HTTP endpoint enables remote exploitation (T1190) and direct unauthorized data access from the database via DQL injection (T1213.006).
NVD Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where…
more
ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
Deeper analysisAI
CVE-2026-41327 is a critical vulnerability in Dgraph, an open source distributed GraphQL database, affecting versions prior to 25.3.3. The issue stems from improper handling of the "cond" field in upsert mutations sent via HTTP POST to the /mutate?commitNow=true endpoint. In Dgraph's default configuration without ACL enabled, the cond value is concatenated directly into a DQL query string using strings.Builder.WriteString after only a cosmetic strings.Replace transformation, without escaping, parameterization, or structural validation. This enables DQL injection, where an attacker can append a syntactically valid named query block that the DQL parser executes server-side. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-943.
An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious cond field in the upsert mutation, the attacker injects an arbitrary DQL query block, gaining full read access to every piece of data in the database. The injected query executes server-side, and its results are returned directly in the HTTP response, potentially allowing extraction of sensitive information.
The vulnerability is fixed in Dgraph version 25.3.3, as detailed in the project's release notes and GitHub security advisory GHSA-mrxx-39g5-ph77. Security practitioners should upgrade to 25.3.3 or later and enable ACL in configurations to mitigate exposure, particularly for internet-facing instances.
Details
- CWE(s)