Authentication Flaw in Dgraph Alpha Affects Distributed GraphQL Database by Dgraph
CVE-2026-54061
9.1CRITICAL
What is CVE-2026-54061?
Dgraph Alpha, an open-source distributed GraphQL database, suffers from a security flaw where the RPCs for external snapshot imports are exposed on a publicly accessible gRPC port without any authentication or authorization checks. This vulnerability allows unauthorized network clients to initiate a StreamExtSnapshot, potentially leading to detrimental effects as they can send Badger stream data to the database's store. Additionally, the Prepare() function is invoked before processing the stream, which could inadvertently delete and replace existing database data. An update to version 25.3.5 addresses these issues, reinforcing security and protecting data integrity.
Affected Version(s)
dgraph < 25.3.5
