+ "details": "## Summary\n\nThe `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.\n\n## Details\n\n### Vulnerable Code Path\n\nThe vulnerability exists in the GraphQL-to-DQL query rewriting layer:\n\n1. **`query_rewriter.go` (~line 364)** — The `checkpwd()` DQL function is constructed using `fmt.Sprintf`:\n\n ```go\n fmt.Sprintf(`checkpwd(User.password, \"%s\")`, password)\n ```\n\n The raw password string from the GraphQL query input is embedded directly into the DQL query without escaping double quotes or other special characters.\n\n2. **`graphquery.go`** — The constructed query attribute is serialized into the final DQL string via `b.WriteString(query.Attr)`, passing the unsanitized content directly to the Dgraph query engine.\n\n### Attack Mechanism\n\nA password value containing a double-quote (`\"`) terminates the string literal in the `checkpwd()` function. Any content after the escaped quote is parsed as additional DQL, allowing the attacker to inject arbitrary query blocks.\n\n### Distinction from CVE-2026-41328 and CVE-2026-41327\n\nCVE-2026-41328 and CVE-2026-41327 address DQL injection in **`edgraph/server.go`**, where GraphQL mutation inputs (upsert/delete) are embedded unsafely into DQL mutations. Those fixes sanitize the mutation path.\n\nThis vulnerability is in a **completely different code path** — the **GraphQL query rewriter** (`query_rewriter.go` → `graphquery.go`). The `checkUserPassword` GraphQL query triggers a DQL *query* via `checkpwd()`, and this query construction was not covered by the patches for CVE-2026-41328/CVE-2026-41327.\n\n## PoC\n\n```bash\ncurl -s -X POST http://TARGET:8080/graphql \\\n -H \"Content-Type: application/json\" \\\n -d '{ \"query\": \"query { checkUserPassword(name: \\\"admin\\\", password: \\\"x\\\\\\\") { uid } injected(func: has(User.name)) { User.name User.email } dummy(func: eq(x, \\\\\\\"x\\\") { msg } }\") { msg } }\" }'\n```\n\n**What to observe:**\n\n- The `touched_uids` field in the `extensions` section of the response will be elevated (indicating the injected blocks executed)\n- Dgraph server logs (`dgraph alpha` output) will show the injected query blocks being parsed and executed\n- The response itself may be filtered by the GraphQL layer, but server-side execution is confirmed\n\n## Impact\n\n- **Data enumeration**: Injected query blocks execute server-side and can probe for the existence of predicates, types, and nodes via `touched_uids` metrics and server logs.\n- **Schema discovery**: An attacker can enumerate all predicates and types in the database by injecting `schema {}` blocks or `has()` queries.\n- **Resource exhaustion**: Expensive injected queries (recursive traversals, large aggregations) execute at the DQL layer, consuming server resources regardless of whether results are returned to the attacker.\n- **Potential data disclosure**: Depending on Dgraph configuration (e.g., debug mode, custom extensions), injected query results may leak into the response.\n\n**CVSS 3.1: 7.5 High** — `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`\n\n- Network-accessible via any GraphQL endpoint\n- No authentication required (`checkUserPassword` is an unauthenticated query)\n- Low attack complexity (single crafted HTTP request)\n- High confidentiality impact (server-side query execution confirmed, data enumeration possible)\n\n## Affected Versions\n\nAll versions of Dgraph that include GraphQL support with the `@secret` directive are affected:\n\n- <= v25.3.3\n- Any version where `query_rewriter.go` constructs `checkpwd()` via string interpolation\n\n## Suggested Fix\n\nEscape or parameterize the password value before embedding it in the DQL query. At minimum, double-quote characters in the password must be escaped:\n\n```go\n// Before (vulnerable):\nfmt.Sprintf(`checkpwd(User.password, \"%s\")`, password)\n\n// After (escaped):\nescaped := strings.ReplaceAll(password, `\\`, `\\\\`)\nescaped = strings.ReplaceAll(escaped, `\"`, `\\\"`)\nfmt.Sprintf(`checkpwd(User.password, \"%s\")`, escaped)\n```\n\nIdeally, Dgraph should implement parameterized query support for the `checkpwd()` function to avoid string interpolation entirely, consistent with best practices for injection prevention.\n\n## Credit\n\nKai Aizen (kai.aizen.dev@gmail.com)",
0 commit comments