CVE-2026-54061
dgraph-io · Dgraph
Dgraph Alpha exposes RPCs for external snapshot imports on the public gRPC port without authentication, allowing unauthenticated remote attackers to overwrite database contents.
Executive summary
An authentication bypass in Dgraph allows unauthenticated remote attackers to delete and replace database data via the external snapshot import RPC.
Vulnerability
The Dgraph Alpha service fails to enforce authentication or authorization for the StreamExtSnapshot RPC on the public gRPC port :9080. This allows an unauthenticated client to push snapshot data to the store, which triggers a Prepare() operation that wipes existing data.
Business impact
This vulnerability poses a catastrophic risk to data availability and integrity. An attacker can completely destroy or overwrite production databases, leading to significant service disruption and permanent data loss. The 9.1 CVSS score underscores the danger of exposed, unauthenticated administrative functions in a database environment.
Remediation
Immediate Action: Upgrade to Dgraph version 25.3.5 or later immediately. Ensure that the public gRPC port :9080 is not exposed to the public internet.
Proactive Monitoring: Audit network traffic to the gRPC port for unauthorized StreamExtSnapshot calls and monitor database logs for unexpected snapshot import events.
Compensating Controls: Use network-level access control lists (ACLs) or firewalls to restrict access to port :9080 to trusted internal IP addresses only.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This is a critical vulnerability that allows for complete data destruction. Organizations must prioritize applying the update and ensuring that database ports are properly firewalled from unauthorized external access to prevent potential mass data loss.