Critical Dgraph Database Vulnerability Let Attackers Bypass Authentication

CVE-2026-34976 is the name of a serious security hole that has been found in Dgraph, an open-source graph database. This serious flaw has a perfect CVSS score of 10.0 and lets remote attackers who aren't authenticated get around security controls. The GraphQL administration API in Dgraph is missing authorization (CWE-862), which is what caused this vulnerability.

The vulnerability affects Dgraph versions 25.3.0 or older and is very serious, resulting in a complete loss of data confidentiality, integrity, and availability. Network administrators need to act quickly to protect their networks and keep an eye on GitHub for updates to the Dgraph software until an official patch is released. Matthew McNeely and Koda Reef, two security researchers, say that the software fix is pretty simple: developers just need to add the restoreTenant mutation to the list of existing administrative middleware.

At the time of the disclosure, the official patched version of Dgraph was not yet available, but researchers said that adding the fix to existing middleware lists is simple. You can get the fix on GitHub or from the company's official site. If you want to try it out for your own organization, you can also get the source code for the D graph software.

Researchers said that the patch is on GitHub and should be available in the next few days. You can call the National Security Agency at 1-800-273-8255 or go to http://www.nsa.gov/ for private help. If you need help in the U.S., call the National Institute of Standards and Technology (NIST) at 1-866-282-9090.