CVE-2026-44840
Deferred Deferred - Pending Action

DQL Injection Vulnerability in Dgraph

Vulnerability report for CVE-2026-44840, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.4, the `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks. Version 25.3.4 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dgraph dgraph to 25.3.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44840 is a DQL (Dgraph Query Language) injection vulnerability in Dgraph's `checkUserPassword` GraphQL query. The issue occurs because user-supplied password values are directly inserted into a DQL `checkpwd()` query string using `fmt.Sprintf` without any escaping or parameterization.

An attacker can exploit this by injecting a password containing a double-quote character, which breaks out of the DQL string literal and allows appending arbitrary DQL query blocks. This enables the attacker to manipulate the query execution.

The vulnerability exists in the GraphQL-to-DQL query rewriting layer, specifically in files like `query_rewriter.go` and `graphquery.go`, where the raw password string is embedded directly into the query.

The issue was fixed in version 25.3.4 by introducing parameterized queries that safely bind password values as variables instead of embedding them directly, preventing injection.

Impact Analysis

This vulnerability allows an attacker to inject malicious DQL queries through the `checkUserPassword` GraphQL query without authentication.

  • Attackers can enumerate data by appending arbitrary queries.
  • It can lead to disclosure of sensitive information stored in the database.
  • Attackers may exhaust server resources by executing expensive or repeated queries.

Because the attack is network-accessible and unauthenticated, it poses a significant risk to systems running vulnerable versions of Dgraph.

Detection Guidance

This vulnerability can be detected by monitoring GraphQL queries to the Dgraph server, specifically looking for the use of the `checkUserPassword` query with suspicious password inputs containing double-quote characters or other special characters that could indicate an injection attempt.

Since the vulnerability involves unauthenticated access to the `checkUserPassword` GraphQL query, network traffic analysis tools can be used to inspect GraphQL requests for unusual or malformed password parameters.

No explicit detection commands are provided in the resources, but you can use network capture tools like tcpdump or Wireshark to filter GraphQL requests, for example:

  • tcpdump -i <interface> -A -s 0 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'checkUserPassword'

Additionally, searching application logs for GraphQL queries containing `checkUserPassword` with suspicious password inputs can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Dgraph to version 25.3.4 or later, where the vulnerability has been fixed by implementing parameterized queries for password checks to prevent DQL injection.

If upgrading immediately is not possible, restrict network access to the GraphQL endpoints to trusted users only, as the vulnerable `checkUserPassword` query is accessible without authentication.

Monitor and block suspicious GraphQL queries that attempt to inject special characters in password fields.

Review and apply any available patches or configuration changes recommended by Dgraph security advisories.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject malicious DQL queries via the checkUserPassword GraphQL query, potentially leading to unauthorized data enumeration and disclosure of sensitive information.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.

Because the vulnerability enables attackers to bypass authentication and access sensitive data, it increases the risk of non-compliance with these standards that mandate strict access controls and data confidentiality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart