πŸ” CVE Alert

CVE-2026-54061

CRITICAL 9.1

Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauthenticated network client can open `StreamExtSnapshot` and send Badger stream data to the target group’s store. In addition, the receiver calls `Prepare()` before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.

CWE CWE-306
Vendor dgraph-io
Product dgraph
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for dgraph-io dgraph

Be the first to know when new critical vulnerabilities affecting dgraph-io dgraph are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Affected Versions

dgraph-io / dgraph
< 25.3.5

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/dgraph-io/dgraph/security/advisories/GHSA-rrwh-6jrq-wp5v github.com: https://github.com/dgraph-io/dgraph/releases/tag/v25.3.5