PT-2026-56423 · Dgraph · Dgraph

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-54061

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.5
Description Dgraph Alpha exposes privileged RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. An unauthenticated network client can access the StreamExtSnapshot endpoint to send Badger stream data to the target group store. Because the receiver executes the Prepare() function before processing the stream, this operation deletes and replaces the existing database data, leading to full database destruction, service outages, and data loss.
Recommendations Update to version 25.3.5.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54061
GHSA-RRWH-6JRQ-WP5V

Affected Products

Dgraph