Auth bypass in Dgraph-io Dgraph
CVE-2026-34976
Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutat…
Vulnerability class: Broken Access Control
EPSS: 0.002 (38.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Dgraph-io Dgraph — versions < 25.3.1
Weakness classification (CWE)
References
- https://github.com/dgraph-io/dgraph/security/advisories/GHSA-p5rh-vmhp-gvcw (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2026-34976?
- CVE-2026-34976 is a critical-severity vulnerability in Dgraph-io Dgraph, classified under Missing Authorization. CVSS score: 10.0/10. Published 2026-04-06.
- How severe is CVE-2026-34976?
- Critical severity. CVSS v3 base score is 10.0 out of 10.