CVE-2026-54061
Deferred Deferred - Pending Action

Unauthenticated Data Replacement in Dgraph Alpha

Vulnerability report for CVE-2026-54061, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauthenticated network client can open `StreamExtSnapshot` and send Badger stream data to the target group’s store. In addition, the receiver calls `Prepare()` before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dgraph dgraph to 25.3.5 (exc)
dgraph dgraph 25.3.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-54061 allows unauthenticated attackers to delete or replace database data in Dgraph Alpha, potentially leading to data loss or unauthorized data modification.

Such unauthorized data manipulation can impact the integrity and availability of sensitive information, which are critical aspects of compliance with standards like GDPR and HIPAA.

In deployments with Access Control Lists (ACLs), the vulnerability could also lead to privilege escalation, further risking unauthorized access to protected data.

Therefore, this vulnerability could cause non-compliance with regulations that require strict data protection, access control, and data integrity safeguards.

Executive Summary

CVE-2026-54061 is a critical vulnerability in Dgraph Alpha versions 25.3.4 and earlier where the external snapshot import RPCs, including StreamExtSnapshot, are exposed on the public gRPC port :9080 without any authentication or authorization.

This allows an unauthenticated attacker to send Badger stream data to a target group’s store. When the receiver processes this stream, it calls a Prepare() operation that deletes and replaces the existing database data.

As a result, an attacker can delete or replace the database contents, potentially causing data loss or injecting attacker-controlled data.

Impact Analysis

This vulnerability can have severe impacts including complete loss or replacement of your database data without any authentication.

In deployments with Access Control Lists (ACLs) enabled, an attacker could replace group 1, which stores ACL and internal predicates, potentially leading to privilege escalation.

Overall, it compromises data integrity and availability, allowing attackers to disrupt or take control of your database.

Detection Guidance

This vulnerability involves the exposure of Dgraph Alpha's external snapshot import RPCs on the public gRPC port :9080 without authentication or authorization.

To detect this vulnerability on your network or system, you can check if the gRPC port 9080 is open and accessible from untrusted networks.

You may use network scanning tools or commands such as:

  • nmap -p 9080 --open <target-ip> # To check if port 9080 is open
  • grpcurl -plaintext <target-ip>:9080 list # To list exposed gRPC services on port 9080
  • grpcurl -plaintext <target-ip>:9080 describe # To describe the RPC methods exposed

If you observe that the StreamExtSnapshot RPC or other snapshot import RPCs are accessible without authentication, your system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include upgrading Dgraph Alpha to version 25.3.5 or later, where this vulnerability is patched.

If upgrading immediately is not possible, restrict network access to the gRPC port 9080 to trusted clients only, for example by firewall rules or network segmentation.

Additionally, implement administrator authorization checks and gRPC stream interceptors to enforce authentication and authorization on snapshot import operations.

Avoid exposing the gRPC port 9080 publicly until the patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54061. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart