Skip to main content

Dgraph CVE-2026-54061

| EUVDEUVD-2026-42235 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-07-08 security-advisories@github.com
9.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
9.1 CRITICAL

Unauthenticated, low-complexity network RPC on :9080 (AV:N/AC:L/PR:N/UI:N); Prepare() destroys and replaces data giving I:H/A:H, while no data is read so C:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 15:01 EUVD
Analysis Generated
Jul 08, 2026 - 14:37 vuln.today

DescriptionCVE.org

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send Badger stream data to the target group’s store. In addition, the receiver calls Prepare() before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.

AnalysisAI

Missing authentication in Dgraph Alpha lets an unauthenticated network client destroy and overwrite an entire database group's data via the external-snapshot import RPCs exposed on the public gRPC port :9080. Any attacker able to reach port 9080 can open a StreamExtSnapshot session; because the receiver calls Prepare() before ingesting the stream, the existing store is deleted and replaced with attacker-supplied Badger data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Alpha gRPC port :9080
Delivery
Open unauthenticated StreamExtSnapshot RPC
Exploit
Receiver calls Prepare(), wipes store
Execution
Stream attacker Badger data
Impact
Group data destroyed or replaced

Vulnerability AssessmentAI

Exploitation The attacker needs network reachability to a Dgraph Alpha node's public gRPC port :9080 on a version prior to 25.3.5; no authentication, authorization, credentials, or user interaction is required (consistent with PR:N/UI:N), and the vulnerable StreamExtSnapshot / external-snapshot-import RPCs are exposed by default on that port. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), which is consistent with the description: network-reachable, low complexity, no privileges and no user interaction, with high integrity and availability impact and no confidentiality impact (the attacker overwrites/destroys rather than reads data). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an unpatched Dgraph Alpha's :9080 gRPC port opens a StreamExtSnapshot session without any credentials and begins sending crafted Badger stream data to a target group's store. Because the receiver calls Prepare() first, the group's existing data is deleted and replaced with the attacker's content, causing data destruction or attacker-controlled data injection. …
Remediation Vendor-released patch: upgrade Dgraph to version 25.3.5 or later, which adds the missing authentication/authorization on the snapshot-import RPCs (release https://github.com/dgraph-io/dgraph/releases/tag/v25.3.5, advisory https://github.com/dgraph-io/dgraph/security/advisories/GHSA-rrwh-6jrq-wp5v). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Dgraph Alpha deployments and immediately restrict untrusted network access to port 9080 using firewall rules; segment Dgraph from external networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy