Skip to main content

Dgraph EUVDEUVD-2026-42237

| CVE-2026-44840 HIGH
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-06-29 https://github.com/dgraph-io/dgraph GHSA-q2m9-6jp9-c6mc
7.5
CVSS 3.1 · Vendor: https://github.com/dgraph-io/dgraph
Share

Severity by source

Vendor (https://github.com/dgraph-io/dgraph) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Unauthenticated single-request injection (AV:N/AC:L/PR:N/UI:N); confidentiality scored Low since disclosure is largely metric/config-dependent, and Availability Low reflects the documented resource-exhaustion vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/dgraph-io/dgraph).

CVSS VectorVendor: https://github.com/dgraph-io/dgraph

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 23:16 vuln.today

DescriptionCVE.org

Summary

The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL checkpwd() query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.

Details

Vulnerable Code Path

The vulnerability exists in the GraphQL-to-DQL query rewriting layer:

  1. query_rewriter.go (~line 364) - The checkpwd() DQL function is constructed using fmt.Sprintf:
go
   fmt.Sprintf(`checkpwd(User.password, "%s")`, password)

The raw password string from the GraphQL query input is embedded directly into the DQL query without escaping double quotes or other special characters.

  1. graphquery.go - The constructed query attribute is serialized into the final DQL string via b.WriteString(query.Attr), passing the unsanitized content directly to the Dgraph query engine.

Attack Mechanism

A password value containing a double-quote (") terminates the string literal in the checkpwd() function. Any content after the escaped quote is parsed as additional DQL, allowing the attacker to inject arbitrary query blocks.

Distinction from CVE-2026-41328 and CVE-2026-41327

CVE-2026-41328 and CVE-2026-41327 address DQL injection in edgraph/server.go, where GraphQL mutation inputs (upsert/delete) are embedded unsafely into DQL mutations. Those fixes sanitize the mutation path.

This vulnerability is in a completely different code path - the GraphQL query rewriter (query_rewriter.gographquery.go). The checkUserPassword GraphQL query triggers a DQL *query* via checkpwd(), and this query construction was not covered by the patches for CVE-2026-41328/CVE-2026-41327.

PoC

bash
curl -s -X POST http://TARGET:8080/graphql \
  -H "Content-Type: application/json" \
  -d '{ "query": "query { checkUserPassword(name: \"admin\", password: \"x\\\") { uid } injected(func: has(User.name)) { User.name User.email } dummy(func: eq(x, \\\"x\") { msg } }") { msg } }" }'

What to observe:

  • The touched_uids field in the extensions section of the response will be elevated (indicating the injected blocks executed)
  • Dgraph server logs (dgraph alpha output) will show the injected query blocks being parsed and executed
  • The response itself may be filtered by the GraphQL layer, but server-side execution is confirmed

Impact

  • Data enumeration: Injected query blocks execute server-side and can probe for the existence of predicates, types, and nodes via touched_uids metrics and server logs.
  • Schema discovery: An attacker can enumerate all predicates and types in the database by injecting schema {} blocks or has() queries.
  • Resource exhaustion: Expensive injected queries (recursive traversals, large aggregations) execute at the DQL layer, consuming server resources regardless of whether results are returned to the attacker.
  • Potential data disclosure: Depending on Dgraph configuration (e.g., debug mode, custom extensions), injected query results may leak into the response.

CVSS 3.1: 7.5 High - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

  • Network-accessible via any GraphQL endpoint
  • No authentication required (checkUserPassword is an unauthenticated query)
  • Low attack complexity (single crafted HTTP request)
  • High confidentiality impact (server-side query execution confirmed, data enumeration possible)

Affected Versions

All versions of Dgraph that include GraphQL support with the @secret directive are affected:

  • <= v25.3.3
  • Any version where query_rewriter.go constructs checkpwd() via string interpolation

Suggested Fix

Escape or parameterize the password value before embedding it in the DQL query. At minimum, double-quote characters in the password must be escaped:

go
// Before (vulnerable):
fmt.Sprintf(`checkpwd(User.password, "%s")`, password)

// After (escaped):
escaped := strings.ReplaceAll(password, `\`, `\\`)
escaped = strings.ReplaceAll(escaped, `"`, `\"`)
fmt.Sprintf(`checkpwd(User.password, "%s")`, escaped)

Ideally, Dgraph should implement parameterized query support for the checkpwd() function to avoid string interpolation entirely, consistent with best practices for injection prevention.

Credit

Kai Aizen (kai.aizen.dev@gmail.com)

AnalysisAI

DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed /graphql endpoint
Delivery
Send checkUserPassword with quote in password
Exploit
Break out of checkpwd string literal
Execution
Append injected DQL query blocks
Persist
Server parses and executes injection
Impact
Enumerate schema/data via touched_uids

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Dgraph deployment expose the GraphQL endpoint (default port 8080, /graphql) with GraphQL support enabled and a schema using the @secret directive, which is what surfaces the unauthenticated checkUserPassword query and the vulnerable checkpwd() rewrite path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) indicates a network-reachable, low-complexity, unauthenticated attack with high confidentiality impact and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed Dgraph Alpha GraphQL endpoint and sends a single crafted HTTP POST to /graphql calling checkUserPassword with a password value containing a double-quote followed by additional DQL blocks (e.g., a has(User.name) block and a schema{} probe). The injected blocks execute server-side; the attacker confirms success by observing elevated touched_uids in the response extensions and enumerates predicates, types, and node existence, or submits expensive recursive/aggregation queries to exhaust server resources. …
Remediation Vendor-released patch: upgrade to Dgraph v25.3.4 (https://github.com/dgraph-io/dgraph/releases/tag/v25.3.4), which contains commit cee702c93f141eeb0c96a81f70830ec9e459efac escaping/parameterizing the checkpwd() password value; see advisory GHSA-q2m9-6jp9-c6mc for details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Dgraph instances in production running version 25.3.3 or earlier and assess network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy