Untriaged
Permalink
CVE-2026-54061
9.1 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import
Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauthenticated network client can open `StreamExtSnapshot` and send Badger stream data to the target group’s store. In addition, the receiver calls `Prepare()` before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.
References
-
https://github.com/dgraph-io/dgraph/security/advisories/GHSA-rrwh-6jrq-wp5v exploitx_refsource_CONFIRM
-
https://github.com/dgraph-io/dgraph/releases/tag/v25.3.5 x_refsource_MISC
Affected products
dgraph
- ==< 25.3.5
Matching in nixpkgs
pkgs.dgraph
Fast, Distributed Graph DB
pkgs.coqPackages.dpdgraph
Build dependency graphs between Coq objects
pkgs.perlPackages.GDGraph
Graph Plotting Module for Perl 5
Package maintainers
-
@vbgl Vincent Laporte <Vincent.Laporte@gmail.com>
-
@sigma Yann Hodique <yann.hodique@gmail.com>
-
@sarahec Sarah Clark <seclark@nextquestion.net>