CVE-2026-44840: Dgraph DQL Injection via GraphQL

Summary

CVE-2026-44840 is a high-severity vulnerability affecting Dgraph (Go): DQL injection via checkUserPassword GraphQL query.

References

NVD↗MITRE↗Vendor / Advisory↗PoC repo (if published)↗

Disclosure

Reported by Kai Aizen. Status: Published. Coordinated through standard NVD/MITRE/GHSA channels.

Frequently asked

CVE-2026-44840 — questions & answers

What is CVE-2026-44840?

CVE-2026-44840 is a query-language-injection vulnerability in Dgraph. The checkUserPassword GraphQL resolver concatenates untrusted input into a DQL query without parameterisation, letting an attacker break out of the intended query shape and run arbitrary DQL.

Am I affected by CVE-2026-44840?

You are affected if you run a Dgraph cluster that exposes the GraphQL API and uses or has used the built-in user/password resolver path. If your cluster is reachable from any network the attacker can reach, treat this as remotely exploitable.

How do I fix CVE-2026-44840?

Upgrade to the patched Dgraph release referenced in the GitHub Security Advisory. As mitigation, restrict GraphQL endpoint exposure at the network layer and audit logs for unusual checkUserPassword query shapes.

What is the impact of CVE-2026-44840?

Authentication bypass and arbitrary DQL execution against the cluster — confidentiality and integrity impact. CVSS 8.8 High.

Where can I find authoritative references?

NVD record, MITRE CVE record, and the Dgraph GitHub Security Advisories tab at github.com/hypermodeinc/dgraph.