CVE-2026-41328 - Vulnerability Analysis

Overview

Dgraph < 25.3.3 contains a NoSQL injection caused by unsanitized predicate language tag in JSON mutation keys, letting unauthenticated attackers read all data via crafted POST requests, exploit requires default ACL disabled.

Severity & Score

Impact

Unauthenticated attackers can read all data in the database, leading to full data disclosure.

Mitigation

Update to version 25.3.3 or later.

References

• https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner