Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Unauthenticated, low-complexity network RPC on :9080 (AV:N/AC:L/PR:N/UI:N); Prepare() destroys and replaces data giving I:H/A:H, while no data is read so C:N.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send Badger stream data to the target group’s store. In addition, the receiver calls Prepare() before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.
AnalysisAI
Missing authentication in Dgraph Alpha lets an unauthenticated network client destroy and overwrite an entire database group's data via the external-snapshot import RPCs exposed on the public gRPC port :9080. Any attacker able to reach port 9080 can open a StreamExtSnapshot session; because the receiver calls Prepare() before ingesting the stream, the existing store is deleted and replaced with attacker-supplied Badger data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker needs network reachability to a Dgraph Alpha node's public gRPC port :9080 on a version prior to 25.3.5; no authentication, authorization, credentials, or user interaction is required (consistent with PR:N/UI:N), and the vulnerable StreamExtSnapshot / external-snapshot-import RPCs are exposed by default on that port. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), which is consistent with the description: network-reachable, low complexity, no privileges and no user interaction, with high integrity and availability impact and no confidentiality impact (the attacker overwrites/destroys rather than reads data). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an unpatched Dgraph Alpha's :9080 gRPC port opens a StreamExtSnapshot session without any credentials and begins sending crafted Badger stream data to a target group's store. Because the receiver calls Prepare() first, the group's existing data is deleted and replaced with the attacker's content, causing data destruction or attacker-controlled data injection. … |
| Remediation | Vendor-released patch: upgrade Dgraph to version 25.3.5 or later, which adds the missing authentication/authorization on the snapshot-import RPCs (release https://github.com/dgraph-io/dgraph/releases/tag/v25.3.5, advisory https://github.com/dgraph-io/dgraph/security/advisories/GHSA-rrwh-6jrq-wp5v). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Dgraph Alpha deployments and immediately restrict untrusted network access to port 9080 using firewall rules; segment Dgraph from external networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42235