Dgraph Unauthenticated Admin Mutation Vulnerability Allowing Database Overwrite and SSRF

A critical vulnerability exists in Dgraph versions prior to 25.3.1, where the restoreTenant admin mutation lacks proper authorization, leaving it completely unauthenticated. This mutation, unlike the similar restore mutation that requires authentication, can be exploited to overwrite entire databases, read server-side files, and perform server-side request forgery (SSRF) attacks. The vulnerability arises because the restoreTenant mutation is not included in the authorization middleware configuration, allowing unauthorized access to its functionality. Exploitation involves sending a request to the admin endpoint with a crafted backup source URL, S3/MinIO credentials, or file paths, which the server processes without authentication.

Impact

Exploitation of this vulnerability allows for pre-authentication access to the restoreTenant mutation, leading to unauthorized overwriting of the database, reading of sensitive server files, and execution of SSRF attacks that could leak cloud metadata or internal service information.

Reproduction

The vulnerability can be reproduced by sending a POST request to the Dgraph admin endpoint with a GraphQL mutation that includes the restoreTenant command. Since the mutation is unauthenticated, no authorization headers are needed. The request can include a backup source URL pointing to an S3 bucket controlled by the attacker, along with any necessary credentials. Once the mutation is executed, the server will fetch the backup from the specified location and overwrite the database without any authentication or authorization checks.

Remediation

Users should update to Dgraph version 25.3.1 or later, where this vulnerability has been addressed.