216.73.217.22

CVE-2026-34976

· Published 06/04/2026 17:17 · Modified 07/04/2026 17:16

Labels: CVE-2026-34976 2026-04-06CVE-2026-34976CWE-862[email protected]

Essential information

Published
06/04/2026 17:17
Modified
07/04/2026 17:16
Author
Creator
CVSS
10.0 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dgraph / dgraph cpe:2.3:a:dgraph:dgraph:25.3.1:*:*:*:*:*:*:*

References