Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-q2m9-6jp9-c6mc | Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query |
Fri, 10 Jul 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Dgraph
Dgraph dgraph |
|
| Vendors & Products |
Dgraph
Dgraph dgraph |
Thu, 09 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Dgraph is an open source distributed GraphQL database. Prior to version 25.3.4, the `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks. Version 25.3.4 patches the issue. | |
| Title | Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query | |
| Weaknesses | CWE-943 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T13:29:15.314Z
Reserved: 2026-05-07T21:21:48.352Z
Link: CVE-2026-44840
Updated: 2026-07-09T13:29:08.666Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T09:30:13Z
Github GHSA