The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL checkpwd() query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.
The vulnerability exists in the GraphQL-to-DQL query rewriting layer:
query_rewriter.go (~line 364) — The checkpwd() DQL function is constructed using fmt.Sprintf:
fmt.Sprintf(`checkpwd(User.password, "%s")`, password)
The raw password string from the GraphQL query input is embedded directly into the DQL query without escaping double quotes or other special characters.
graphquery.go — The constructed query attribute is serialized into the final DQL string via b.WriteString(query.Attr), passing the unsanitized content directly to the Dgraph query engine.
A password value containing a double-quote (") terminates the string literal in the checkpwd() function. Any content after the escaped quote is parsed as additional DQL, allowing the attacker to inject arbitrary query blocks.
CVE-2026-41328 and CVE-2026-41327 address DQL injection in edgraph/server.go, where GraphQL mutation inputs (upsert/delete) are embedded unsafely into DQL mutations. Those fixes sanitize the mutation path.
This vulnerability is in a completely different code path — the GraphQL query rewriter (query_rewriter.go → graphquery.go). The checkUserPassword GraphQL query triggers a DQL query via checkpwd(), and this query construction was not covered by the patches for CVE-2026-41328/CVE-2026-41327.
curl -s -X POST http://TARGET:8080/graphql \
-H "Content-Type: application/json" \
-d '{ "query": "query { checkUserPassword(name: \"admin\", password: \"x\\\") { uid } injected(func: has(User.name)) { User.name User.email } dummy(func: eq(x, \\\"x\") { msg } }") { msg } }" }'
What to observe:
touched_uids field in the extensions section of the response will be elevated (indicating the injected blocks executed)dgraph alpha output) will show the injected query blocks being parsed and executedtouched_uids metrics and server logs.schema {} blocks or has() queries.CVSS 3.1: 7.5 High — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
checkUserPassword is an unauthenticated query)All versions of Dgraph that include GraphQL support with the @secret directive are affected:
query_rewriter.go constructs checkpwd() via string interpolationEscape or parameterize the password value before embedding it in the DQL query. At minimum, double-quote characters in the password must be escaped:
// Before (vulnerable):
fmt.Sprintf(`checkpwd(User.password, "%s")`, password)
// After (escaped):
escaped := strings.ReplaceAll(password, `\`, `\\`)
escaped = strings.ReplaceAll(escaped, `"`, `\"`)
fmt.Sprintf(`checkpwd(User.password, "%s")`, escaped)
Ideally, Dgraph should implement parameterized query support for the checkpwd() function to avoid string interpolation entirely, consistent with best practices for injection prevention.
Kai Aizen (kai.aizen.dev@gmail.com)
{
"github_reviewed_at": "2026-06-29T22:53:52Z",
"nvd_published_at": null,
"github_reviewed": true,
"cwe_ids": [
"CWE-943"
],
"severity": "HIGH"
}