CVE-2026-44840

HIGHPre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query

Summary

The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL checkpwd() query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.

Details

Vulnerable Code Path

The vulnerability exists in the GraphQL-to-DQL query rewriting layer:

  • query_rewriter.go (~line 364) — The checkpwd() DQL function is constructed using fmt.Sprintf:

fmt.Sprintf(checkpwd(User.password, "%s"), password)

The raw password string from the GraphQL query input is embedded directly into the DQL query without escaping double quotes or other special characters.

  • graphquery.go — The constructed query attribute is serialized into the final DQL string via b.WriteString(query.Attr), passing the unsanitized content directly to the Dgraph query engine.

Attack Mechanism

A password value containing a double-quote (") terminates the string literal in the checkpwd() function. Any content after the escaped quote is parsed as additional DQL, allowing the attacker to inject arbitrary query blocks.

Distinction from CVE-2026-41328 and CVE-2026-41327

CVE-2026-41328 and CVE-2026-41327 address DQL injection in edgraph/server.go, where GraphQL mutation inputs (upsert/delete) are embedded unsafely into DQL mutations. Those fixes sanitize the mutation path.

This vulnerability is in a completely different code path — the GraphQL query rewriter (query_rewriter.gographquery.go). The checkUserPassword GraphQL query triggers a DQL *query* via checkpwd(), and this query construction was not covered by the patches for CVE-2026-41328/CVE-2026-41327.

PoC

curl -s -X POST http://TARGET:8080/graphql \
  -H "Content-Type: application/json" \
  -d '{ "query": "query { checkUserPassword(name: \"admin\", password: \"x\\\") { uid } injected(func: has(User.name)) { User.name User.email } dummy(func: eq(x, \\\"x\") { msg } }") { msg } }" }'

What to observe:

  • The touched_uids field in the extensions section of the response will be elevated (indicating the injected blocks executed)
  • Dgraph server logs (dgraph alpha output) will show the injected query blocks being parsed and executed
  • The response itself may be filtered by the GraphQL layer, but server-side execution is confirmed

Impact

  • Data enumeration: Injected query blocks execute server-side and can probe for the existence of predicates, types, and nodes via touched_uids metrics and server logs.
  • Schema discovery: An attacker can enumerate all predicates and types in the database by injecting schema {} blocks or has() queries.
  • Resource exhaustion: Expensive injected queries (recursive traversals, large aggregations) execute at the DQL layer, consuming server resources regardless of whether results are returned to the attacker.
  • Potential data disclosure: Depending on Dgraph configuration (e.g., debug mode, custom extensions), injected query results may leak into the response.

CVSS 3.1: 7.5 HighAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

  • Network-accessible via any GraphQL endpoint
  • No authentication required (checkUserPassword is an unauthenticated query)
  • Low attack complexity (single crafted HTTP request)
  • High confidentiality impact (server-side query execution confirmed, data enumeration possible)

Affected Versions

All versions of Dgraph that include GraphQL support with the @secret directive are affected:

  • <= v25.3.3
  • Any version where query_rewriter.go constructs checkpwd() via string interpolation

Suggested Fix

Escape or parameterize the password value before embedding it in the DQL query. At minimum, double-quote characters in the password must be escaped:

// Before (vulnerable):
fmt.Sprintf(checkpwd(User.password, "%s"), password)

// After (escaped): escaped := strings.ReplaceAll(password, \, \\) escaped = strings.ReplaceAll(escaped, ", \") fmt.Sprintf(checkpwd(User.password, "%s"), escaped)

Ideally, Dgraph should implement parameterized query support for the checkpwd() function to avoid string interpolation entirely, consistent with best practices for injection prevention.

Credit

Kai Aizen ([email protected])

CVSS v3
7.5
EG Score
7.5(low)
EPSS
KEV
Not listed

Published

June 29, 2026

Last Modified

June 29, 2026

Vendor Advisories for CVE-2026-44840(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 14× in last 7d / 15× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 03:25 UTCEG score recompute
  2. 2026-07-06 15:07 UTCEG score recompute
  3. 2026-07-06 02:40 UTCEG score recompute
  4. 2026-07-05 14:22 UTCEG score recompute
  5. 2026-07-05 02:05 UTCEG score recompute
  6. 2026-07-04 13:46 UTCEG score recompute
  7. 2026-07-04 01:29 UTCEG score recompute
  8. 2026-07-03 13:12 UTCEG score recompute
  9. 2026-07-03 00:55 UTCEG score recompute
  10. 2026-07-02 12:38 UTCEG score recompute
  11. 2026-07-02 00:19 UTCEG score recompute
  12. 2026-07-01 12:01 UTCEG score recompute
  13. 2026-06-30 23:44 UTCEG score recompute
  14. 2026-06-30 11:22 UTCEG score recompute
  15. 2026-06-29 23:05 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-44840?
CVE-2026-44840 is a high vulnerability published on June 29, 2026. Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query Summary The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL checkpwd() query via fmt.Sprintf without any…
When was CVE-2026-44840 disclosed?
CVE-2026-44840 was first published in the National Vulnerability Database on June 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-44840?
CVE-2026-44840 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-44840?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-44840, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-44840

Explore →

Is Your Infrastructure Affected by CVE-2026-44840?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.