Critical Zero-Day Vulnerability in Dgraph Exposes Databases to Remote Takeover
A maximum-severity flaw (CVE-2026-34976, CVSS 10.0) in Dgraph, a widely used open-source graph database, allows unauthenticated attackers to bypass all security controls, overwrite databases, exfiltrate sensitive files, and launch Server-Side Request Forgery (SSRF) attacks. The vulnerability was discovered by security researchers Matthew McNeely and Koda Reef and stems from a missing authorization check in Dgraph’s GraphQL administration API.
The issue lies in the restoreTenant command, which was accidentally excluded from Dgraph’s security middleware (dubbed the “Guardian of the Galaxy” auth). Without authentication or IP restrictions, attackers can exploit this oversight to trigger the command remotely, enabling multiple attack vectors:
- Database Overwrite: Attackers can force Dgraph to fetch a malicious backup from a public cloud storage (e.g., Amazon S3) and replace the entire database.
- Local File Theft: By supplying file:// paths, attackers can read sensitive server files, including password hashes and Kubernetes tokens.
- SSRF Attacks: The flaw allows outbound requests to internal networks or cloud metadata endpoints, exposing protected services.
The vulnerability affects Dgraph versions 25.3.0 and older, posing a catastrophic risk to organizations with exposed admin endpoints (typically port 8080). Exploitation requires no credentials or user interaction, making it highly dangerous. While a fix is straightforward adding restoreTenant to the security middleware no official patch has been released at the time of disclosure.
Until a patch is available, organizations are advised to isolate Dgraph admin ports from the public internet and restrict access to trusted IPs. The flaw underscores the critical need for rigorous authorization checks in administrative APIs.
Source: https://cybersecuritynews.com/dgraph-database-vulnerability/
Dgraph Labs cybersecurity rating report: https://www.rankiteo.com/company/dgraph-labs
"id": "DGR1775478238",
"linkid": "dgraph-labs",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using Dgraph '
'versions 25.3.0 and older with '
'exposed admin endpoints',
'industry': 'Technology/Database Management',
'name': 'Dgraph',
'type': 'Open-source software'}],
'attack_vector': 'Remote Exploitation',
'customer_advisories': 'Organizations using Dgraph should isolate admin ports '
'and restrict access to trusted IPs until a patch is '
'applied.',
'data_breach': {'data_exfiltration': 'Yes (via file theft or SSRF)',
'personally_identifiable_information': 'Potential (if stored '
'in the database)',
'sensitivity_of_data': 'High (password hashes, Kubernetes '
'tokens, personally identifiable '
'information if stored)',
'type_of_data_compromised': ['Sensitive server files',
'Database contents']},
'description': 'A maximum-severity flaw (CVE-2026-34976, CVSS 10.0) in '
'Dgraph, a widely used open-source graph database, allows '
'unauthenticated attackers to bypass all security controls, '
'overwrite databases, exfiltrate sensitive files, and launch '
'Server-Side Request Forgery (SSRF) attacks. The vulnerability '
'stems from a missing authorization check in Dgraph’s GraphQL '
'administration API, specifically in the restoreTenant '
'command, which was excluded from the security middleware.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unauthorized access and data exposure',
'data_compromised': 'Sensitive files (e.g., password hashes, '
'Kubernetes tokens), database contents',
'identity_theft_risk': 'High (if personally identifiable '
'information is exposed)',
'operational_impact': 'Database overwrite, unauthorized access to '
'internal systems via SSRF',
'systems_affected': 'Dgraph graph database (versions 25.3.0 and '
'older)'},
'investigation_status': 'Vulnerability disclosed; patch pending',
'lessons_learned': 'Critical need for rigorous authorization checks in '
'administrative APIs, especially for commands with '
'high-privilege operations like database restoration.',
'post_incident_analysis': {'corrective_actions': 'Add restoreTenant to the '
'security middleware to '
'enforce authentication and '
'authorization.',
'root_causes': 'Missing authorization check in the '
'restoreTenant command of Dgraph’s '
'GraphQL administration API.'},
'recommendations': 'Immediately isolate Dgraph admin ports from the public '
'internet, restrict access to trusted IPs, and apply the '
'official patch once released. Conduct a security audit of '
'all administrative APIs for similar authorization gaps.',
'references': [{'source': 'Security researchers Matthew McNeely and Koda '
'Reef'}],
'response': {'containment_measures': 'Isolate Dgraph admin ports from the '
'public internet, restrict access to '
'trusted IPs',
'remediation_measures': 'Add restoreTenant to the security '
'middleware (pending official patch)'},
'title': 'Critical Zero-Day Vulnerability in Dgraph Exposes Databases to '
'Remote Takeover',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'CVE-2026-34976 (Missing authorization check in '
'restoreTenant command)'}