PT-2026-56423 · Dgraph · Dgraph
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-54061
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Dgraph versions prior to 25.3.5
Description
Dgraph Alpha exposes privileged RPCs used for external snapshot import on the public gRPC port
:9080 without authentication or authorization. An unauthenticated network client can access the StreamExtSnapshot endpoint to send Badger stream data to the target group store. Because the receiver executes the Prepare() function before processing the stream, this operation deletes and replaces the existing database data, leading to full database destruction, service outages, and data loss.Recommendations
Update to version 25.3.5.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dgraph