GraphDB 11.3.2 Release Notes

07/04/2026

Important

GraphDB 11.3.2 fixes several critical security issues and third-party vulnerabilities. Notably, this release addresses a critical vulnerability where XML parsers could be used as a potential vector for an XXE attack — to resolve this issue, retrieving XML files that contain DOCTYPE declarations is no longer supported when performing federated SPARQL queries, in accordance to the specification. Another critical vulnerability where an RCE attack could be potentially carried out through the Avatica translation layer has also been resolved. This release also addresses a number of major or less severe bugs related to the core functionalities of GraphDB, the cluster mechanism, GraphQL and the GraphDB Workbench, among other things.

We recommend everyone to upgrade.

Bug fixing

	Description	Introduced	Severity
GDB-14149	Nested optional filter assigns non-existent values (`BINDs`) instead of filtering	11.3	Major
GDB-13665	Transaction rollbacks of concurrent updates is not always isolated	11.2	Medium

Bug fixing

	Description	Introduced	Severity
GDB-14283	Leader didn’t attempt to catch up node after receiving higher term and neither step down	10.0	Major
GDB-13720	Invalid repo configuration breaks the cluster	11.2	Major

New features and improvements

GDB-14300 “Invalid direct role” LDAP warning log has been demoted to debug level

Bug fixing

	Description	Introduced	Severity
GDB-14334	Vulnerability with potential XXE attacks through XML parsers — Disallows DOCTYPE Note When performing federated SPARQL queries, ensure that DTD (Document Type Definition)/`DOCTYPE` declarations are excluded, as they are no longer supported.		Critical
GDB-14326	x509 certificates are incorrectly decoded from HTTP headers	10.7	Major
GDB-14251	Remote Code Execution via Avatica translation layer		Critical
GDB-14240	Users with GRAPHQL-only rights defined in the LDAP can still access the SPARQL `READ` functionality via the REST API	11.3	Major
GDB-13749	Local Path traversal in repository ID allows file writes to arbitrary locations on disk		Medium

Fixed third-party vulnerabilities

Vulnerability	Severity
CVE-2026-24734	7.5 High
CVE-2026-33871	8.7 High
CVE-2026-33870	7.5 High
CVE-2026-22732	9.1 Critical

Bug fixing

	Description	Introduced	Severity
GDB-14304	GraphQL relations attribute counting counts the relations themselves in the results count when there are inverse or symmetric relations	11.0	Major
GDB-14290	Users can see the count of all sub-entities even when lacking the permission to view the sub-entities themselves		Major
GDB-13541	“Cannot rollback transaction already committed transaction for request” randomly returned in Semantic Objects	11.2	Medium

New features and improvements

GDB-14221 Allow overriding the Base URL protocol for the Swagger UI

Bug fixing

	Description	Introduced	Severity
GDB-14241	Pressing the SPARQL redirect button under SPARQL Explain in Talk to Your Graph does not add the necessary prefixes in the editor	11.0	Medium
GDB-14239	SPARQL Editor buttons are hidden behind the scrollbar if the browser has been zoomed out	11.3.1	Minor
GDB-14236	Pressing Cancel when in the Users and Access ‣ Edit user permissions menu does not revert back to user list	11.0	Minor
GDB-14183	Error occurs when pressing Save button in the Edit/Clone Agent dialog in Talk to Your Graph		Medium
GDB-14166	Loading the visual graph from the SPARQL view takes too long	11.2.1	Medium
GDB-13846	Resizing the Welcome page stacks the banner text	11.3	Minor
GDB-13806	Navbar is rendered on login page after GDB instance is restarted	11.3	Minor
GDB-6208	Switching to a FedX repository from a worker repository in a cluster when in `/namespaces` view caches the namespaces list	9.10	Medium

In this section: