Do Son 
A security vulnerability was found in Dgraph, the high-performance, horizontally scalable GraphQL database. The flaw, designated as CVE-2026-34976, has been assigned a rare CVSS score of 10.0, the highest possible rating for severity.
Because Dgraph is built from the ground up to handle ACID transactions and linearizable reads for complex data sets, this vulnerability poses a “Critical” threat to organizations relying on its distributed architecture.
The root of the issue is a classic oversight in authorization logic. Dgraph uses an authorization middleware configuration to protect administrative functions, but a specific mutationβrestoreTenantβwas simply left out of the list.
While the similar restore mutation is strictly protected by “Guardian-of-Galaxy” authentication, IP whitelisting, and audit logging, restoreTenant was found to execute with “zero middleware”.
Technically, when the system looks up the required security checks for this function, it returns a null value. The system then interprets this empty list of requirements as an instruction to skip all authentication, authorization, and logging entirely.
Because this administrative function is completely unauthenticated, a remote attacker can trigger it via the admin endpoint on port 8080 without providing a single credential. Once accessed, the restoreTenant mutation accepts several attacker-controlled parameters, including backup source URLs and file paths.
The impact of this “Pre-Auth” access is broad and devastating:
- Database Overwrite: Attackers can overwrite the entire database with their own data, leading to a complete loss of integrity.
- Server-Side File Read: By using file:// URLs, an attacker can read sensitive files directly from the local filesystem.
- Server-Side Request Forgery (SSRF): The flaw allows attackers to perform SSRF attacks, potentially reaching internal network resources.
- Credential Theft: Attackers can access encryption keys and Vault credential file paths, potentially compromising the entire security infrastructure.
The vulnerability is “Network accessible” and requires “No user interaction,” making it an ideal target for automated exploitation.
- Affected Versions: All versions up to and including v25.3.0.
- Impact: Complete loss of confidentiality, integrity, and availability, including “database destruction”.
The Dgraph team has moved swiftly to resolve this critical oversight. The patch involves a simple but vital addition to the adminMutationMWConfig file: properly assigning the “Guardian-of-Galaxy” (gogMutMWs) middleware to the restoreTenant function.
Administrators are urged to upgrade to Dgraph v25.3.1 immediately to secure their clusters against this unauthenticated takeover.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
Hi. Just a typo. This is CVE-2026-34976 and not CVE-2026-33976. Thanks!
Updated.
Thanks you!