Critical Dgraph flaw let unauthenticated attackers bypass admin protections, but a fix is now available
4 min. read 
Published on
A critical Dgraph vulnerability tracked as CVE-2026-34976 can let remote, unauthenticated attackers bypass protections on the database’s admin API and trigger dangerous actions through the restoreTenant mutation. GitHub’s reviewed advisory rates it critical with a CVSS 3.1 score of 10.0 and says the bug can enable database overwrite, server-side request forgery, and file access paths under affected conditions.
The core issue is missing authorization. According to the advisory, restoreTenant was left out of Dgraph’s admin authorization middleware map, so the mutation could execute without the Guardian of the Galaxy authentication and related checks that protect similar admin actions such as restore.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The sample article is partly outdated on one key point. A patched release now exists for the v25 line. GitHub’s advisory database lists Dgraph v25.3.1 as the fixed version for the affected v25 package, even though the initial advisory text said no patched version was available when it was first published.
What the bug lets attackers do
The advisory says an attacker can send a crafted restoreTenant request without authentication and point Dgraph at attacker-controlled backup sources. In that scenario, the server can fetch and restore a malicious backup, which can overwrite data in the target namespace.
The same advisory says the vulnerable mutation accepts attacker-controlled source URLs, including file:// paths for local filesystem access. It also describes SSRF paths through backup and vault-related parameters, which could let a hostile request force the server to connect to internal services or cloud metadata endpoints.
Researchers Matthew McNeely and Koda Reef are credited in the GitHub advisory database entry and the security advisory material tied to this issue.
Affected versions and fixed builds
GitHub’s reviewed advisory lists several affected packages and ranges. For the current v25 package, affected versions run through 25.3.0, and the fixed release is 25.3.1. The advisory also lists affected older packages including github.com/dgraph-io/dgraph/v24 through 24.0.5 and github.com/dgraph-io/dgraph through 1.2.8.
That means organizations running Dgraph 25.3.0 or older on the v25 branch should move to 25.3.1 as soon as possible. Teams on older package lines should check the advisory and repository updates carefully because the published fixed-version information is clearer for v25 than for the older branches.
The official advisory also links to the fixing commit and to the v25.3.1 release page, which gives defenders a direct path to verify remediation.
Dgraph CVE-2026-34976 at a glance
| Item | Officially reported detail |
|---|---|
| CVE | CVE-2026-34976 |
| Severity | Critical, CVSS 3.1 score 10.0 |
| Root cause | Missing authorization, mapped to CWE-862 |
| Vulnerable function | restoreTenant admin mutation missing from middleware config |
| Main risks | Unauthenticated restore, database overwrite, SSRF, filesystem probing or read paths |
| Fixed version | v25.3.1 for github.com/dgraph-io/dgraph/v25 |
The exploitation path looks especially serious because the mutation sits on the admin API and the advisory says no authentication headers are needed in the proof-of-concept request. In practical terms, internet-exposed admin endpoints face the highest risk. That last sentence is a grounded inference from the published attack path and the fact that the mutation is remotely reachable over the admin interface.
What admins should do now
- Upgrade Dgraph v25 deployments to
25.3.1immediately. - Restrict access to Dgraph admin endpoints and keep them off the public internet. This is operational advice based on the advisory’s unauthenticated remote attack path.
- Review whether any systems expose the admin API on default or known management ports and lock access to trusted internal networks only. This is also a defensive recommendation inferred from the advisory’s remote exploitation model.
- Check repository release notes and the fix commit to confirm the exact patched build in your deployment workflow.
FAQ
It is a critical Dgraph vulnerability caused by missing authorization on the restoreTenant admin mutation, which can let unauthenticated attackers reach dangerous admin functionality.
Yes. The advisory says restoreTenant was omitted from the authorization middleware map, so the request could execute with zero middleware protection.
The published advisory says attackers may overwrite the database, probe or read local files through file:// paths, and perform SSRF through attacker-controlled restore parameters.
For the v25 package line, GitHub lists 25.3.1 as the patched version.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages