A maximum-severity vulnerability in Dgraph, a popular open-source graph database. Tracked as CVE-2026-34976, this critical flaw carries a perfect CVSS score of 10.0.
It allows unauthenticated remote attackers to bypass all security controls, overwrite entire databases, read sensitive server files, and launch Server-Side Request Forgery (SSRF) attacks.
Discovered by security researchers Matthew McNeely and Koda Reef, this vulnerability poses a massive risk to organizations that expose their Dgraph administration endpoints to the internet.
Dgraph Database Vulnerability
The root cause of this vulnerability is a classic case of missing authorization (CWE-862). The issue resides in Dgraph’s GraphQL administration API.
Within the Dgraph source code, administrative actions are protected by a security middleware configuration that enforces authentication (known as “Guardian of the Galaxy” auth), IP allowlisting, and audit logging.
However, an administrative command called restoreTenant was accidentally omitted from this security configuration map.
Because of this omission, when the system processes a restoreTenant request, it finds no security rules attached to it.
As a result, the database bypasses all authentication checks and immediately processes the restoreTenant command, allowing any external user to restore a database from a backup URL.
Because attackers can trigger this command without logging in, they can supply their own malicious parameters to manipulate the server in several devastating ways:
- Complete Database Overwrite: An attacker can host a crafted database backup on a public cloud storage bucket, like Amazon S3.
By sending a request to the Dgraph server, they can force it to fetch their malicious backup and overwrite the target database, destroying all existing data.
- Local Filesystem Probing: Instead of a cloud URL, attackers can input local file paths (using the file:// scheme).
This allows them to scan the server’s internal directories and read sensitive files, such as password hashes and Kubernetes security tokens.
- Server-Side Request Forgery (SSRF): Attackers can trick the database into making outbound HTTP requests to internal, private networks or cloud metadata endpoints. This exposes internal services that are normally protected behind a firewall.
Mitigations
This vulnerability affects Dgraph versions 25.3.0 and older. The impact is catastrophic, resulting in a total loss of data confidentiality, integrity, and availability.
Because it requires zero user interaction or credentials, it is highly exploitable. At the time of disclosure, an official patched version of Dgraph had not yet been released.
However, researchers noted that the software fix is straightforward; developers simply need to add the restoreTenant mutation to the existing administrative middleware list.
Until an official patch is deployed, network administrators must take immediate defensive action and monitor updates on GitHub.
Organizations should strictly isolate their Dgraph administration ports (typically port 8080) from the public internet and restrict access to trusted internal IP addresses only.
