Lucene search
K

122 matches found

Nuclei
Nuclei
added 9 hours ago16 views

Dgraph <= 25.3.2 - Admin Token Disclosure

Dgraph = 25.3.2 contains an information disclosure caused by unauthenticated access to the /debug/vars endpoint , which publishes the cmdline variable including the --security token= flag, letting unauthenticated remote attackers retrieve the admin token and access admin-only endpoints, exploit...

9.8CVSS6.1AI score0.02187EPSS
Exploits1References2
NVD
NVD
added 6 days ago10 views

CVE-2026-54061

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS0.00388EPSS
Exploits0References2
NVD
NVD
added 6 days ago7 views

CVE-2026-44840

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.4, the checkUserPassword GraphQL query in Dgraph is vulnerable to DQL Dgraph Query Language injection. User-supplied password values are interpolated directly into a DQL checkpwd query via fmt.Sprintf without any escapin...

7.5CVSS0.00484EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago32 views

CVE-2026-44840 Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.4, the checkUserPassword GraphQL query in Dgraph is vulnerable to DQL Dgraph Query Language injection. User-supplied password values are interpolated directly into a DQL checkpwd query via fmt.Sprintf without any escapin...

7.5CVSS0.00484EPSS
Exploits0References3
CVE
CVE
added 6 days ago15 views

CVE-2026-44840

CVE-2026-44840 (Dgraph) : The vulnerability is in the GraphQL path for checkUserPassword, where user-supplied password values are interpolated into a DQL query via fmt.Sprintf without escaping or parameterization. This allows a specially crafted password (e.g., containing a ".") to break the DQL ...

7.5CVSS6.1AI score0.00484EPSS
Exploits0References3
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-42235

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS5.9AI score0.00388EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS0.00388EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago8 views

PT-2026-56423

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.5 Description Dgraph Alpha exposes privileged RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. An unauthenticated network client can access the...

9.1CVSS6.1AI score0.00388EPSS
Exploits0References7
OSV
OSV
added 2026/07/07 3:26 p.m.8 views

GO-2026-5837 Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query in github.com/dgraph-io/dgraph

Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query in github.com/dgraph-io/dgraph...

7.5CVSS5.9AI score0.00484EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 10:53 p.m.7 views

GHSA-Q2M9-6JP9-C6MC Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query

Summary The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL Dgraph Query Language injection. User-supplied password values are interpolated directly into a DQL checkpwd query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a...

7.5CVSS6.2AI score0.00484EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/29 10:53 p.m.12 views

Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query

Summary The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL Dgraph Query Language injection. User-supplied password values are interpolated directly into a DQL checkpwd query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a...

9.1CVSS6.2AI score0.00484EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.10 views

PT-2026-53759

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.4 Description The checkUserPassword GraphQL query is susceptible to DQL Dgraph Query Language injection. This occurs because user-supplied password values are interpolated directly into a DQL checkpwd query using...

7.5CVSS6.2AI score0.00484EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.12 views

CVE-2026-41327

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a...

9.1CVSS5.4AI score0.00424EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.9 views

CVE-2026-41492

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can...

9.8CVSS5.5AI score0.02187EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.14 views

CVE-2026-41328

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack require...

9.1CVSS5.5AI score0.00338EPSS
Exploits1References1
Veracode
Veracode
added 2026/05/15 7:24 p.m.14 views

Improper Neutralization Of Special Elements In Data Query Logic

Dgraph is vulnerable to Improper Neutralization of Special Elements in Data Query Logic. The vulnerability is due to improper sanitization of the user-controlled cond field in upsert mutations, which allows an attacker to inject arbitrary DQL query blocks and gain unauthorized read access to...

9.1CVSS5.9AI score0.00424EPSS
Exploits1References3Affected Software3
Veracode
Veracode
added 2026/05/15 6:2 p.m.13 views

Information Exposure

Dgraph is vulnerable to Information Exposure. The vulnerability is due to exposure of process command-line arguments through the unauthenticated /debug/vars endpoint, which allows an attacker to obtain sensitive admin tokens and gain unauthorized access to admin-only endpoints...

9.8CVSS5.8AI score0.02187EPSS
Exploits1References3Affected Software3
Veracode
Veracode
added 2026/05/14 6:0 p.m.11 views

Missing Authentication

github.com/dgraph-io/dgraph is vulnerable to Missing Authentication. The vulnerability is due to the restoreTenant admin mutation missing authorization middleware validation, which allows an unauthenticated attacker to overwrite the database, access server-side files via file:// paths, and perfor...

10CVSS7.3AI score0.00452EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2026/05/14 4:58 p.m.21 views

Unauthenticated Credential Disclosure

github.com/dgraph-io/dgraph is vulnerable to an unauthenticated credential disclosure. The vulnerability is due to the /debug/pprof/cmdline endpoint being accessible without authentication, which exposes the full process command line including the admin token, allowing an attacker to retrieve the...

9.4CVSS5.8AI score0.00509EPSS
Exploits1References3Affected Software1
Wolfi
Wolfi
added 2026/05/09 7:48 a.m.21 views

GHSA-X92X-PX7W-4GX4 vulnerabilities

Vulnerabilities for packages: dgraph...

5.8AI score
Exploits0
Rows per page
Query Builder