Dgraph Unauthenticated Database Overwrite (CVE-2026-349

Overview

A critical security flaw in the open-source Dgraph database allows unauthenticated attackers to completely compromise the system. The vulnerability, tracked as CVE-2026-34976, stems from a missing authorization check for the restoreTenant admin mutation. This function was omitted from the security middleware configuration, leaving it completely open to any network request without any authentication.

Vulnerability Details

In Dgraph versions prior to 25.3.1, the restoreTenant administrative function executes with zero security checks. Unlike the similar restore mutation, which requires high-level “Guardian-of-Galaxy” authentication, restoreTenant bypasses all middleware. The mutation accepts attacker-controlled parameters, including backup source URLs, cloud storage credentials, and paths to encryption or credential files.

Impact

The impact of this vulnerability is severe and multifaceted. An unauthenticated remote attacker can:

• Overwrite the entire database by supplying a malicious backup source.
• Read sensitive server-side files by using the file:// protocol to access the local filesystem.
• Perform Server-Side Request Forgery (SSRF) by forcing the server to make requests to internal network resources.
• Exfiltrate credentials provided for S3, MinIO, or Vault integrations.

With a CVSS score of 10.0, this flaw represents the highest severity risk, requiring no privileges or user interaction to exploit.

Remediation and Mitigation

The primary and immediate action is to upgrade Dgraph to version 25.3.1 or later, which contains the fix. This update adds the restoreTenant mutation to the authorization middleware.

If immediate upgrading is not possible, consider these temporary mitigation steps:

1. Network Segmentation: Restrict network access to Dgraph’s administrative HTTP/GraphQL ports (typically 8080) to only trusted management networks. Do not expose these ports to the internet.
2. Firewall Rules: Implement strict ingress firewall rules to block external access to the Dgraph service from untrusted networks.
3. Monitor for Exploitation: Review server and Dgraph logs for unexpected calls to the /admin endpoint or restoreTenant mutation activity. For more on attack patterns, recent breach reports can provide context.

Security Insight

This vulnerability highlights the critical risk of “missing middleware” bugs in API-driven systems, where a single configuration oversight can bypass an entire security model. It mirrors past incidents in other platforms where backup/restore functions were left unguarded, becoming a primary attack vector. The flaw underscores that in complex distributed systems, automated security coverage checks for all administrative endpoints are not just beneficial but essential.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs