Home / Vulnerability Intelligence / CVE-2026-41328

CVE-2026-41328 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 27, 2026

Dgraph - NoSQL Injection

Published: April 24, 2026Updated: April 27, 2026Remote Exploitable

Overview

Dgraph < 25.3.3 contains a NoSQL injection caused by unsanitized predicate language tag in JSON mutation keys, letting unauthenticated attackers read all data via crafted POST requests, exploit requires default ACL disabled.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 7.6%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can read all data in the database, leading to full data disclosure.

Mitigation

Update to version 25.3.3 or later.

References

https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4

Social Media Activity(1 post)

OffSequence

@offseq

Apr 25, 2026

🚨 CVE-2026-41328: CRITICAL DQL injection in dgraph-io Dgraph (<25.3.3) allows unauthenticated full DB read! Exploit via crafted POSTs to port 8080. Patch to 25.3.3+ or enable ACL to mitigate. Details: https://radar.offseq.com/threat/cve-2026-41328-cwe-943-improper-neutralization-of--c8d19cb1 #OffSeq #CVE202641328 #GraphQL #infosec

View original post

Related Resources

Details

CVE ID: CVE-2026-41328
Severity: Critical
CVSS Score: 9.1
Type: nosql_injection
Status: unconfirmed
EPSS: 7.6%
Social Posts: 1

CWE

CWE-943

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

7.6%Probability of exploitation in the next 30 days