Authentication Flaw in Dgraph Alpha Affects Distributed GraphQL Database by Dgraph
CVE-2026-54061

9.1CRITICAL

Key Information:

Vendor

Dgraph-io

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54061?

Dgraph Alpha, an open-source distributed GraphQL database, suffers from a security flaw where the RPCs for external snapshot imports are exposed on a publicly accessible gRPC port without any authentication or authorization checks. This vulnerability allows unauthorized network clients to initiate a StreamExtSnapshot, potentially leading to detrimental effects as they can send Badger stream data to the database's store. Additionally, the Prepare() function is invoked before processing the stream, which could inadvertently delete and replace existing database data. An update to version 25.3.5 addresses these issues, reinforcing security and protecting data integrity.

Affected Version(s)

dgraph < 25.3.5

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.