External risk intelligence

Dgraph Unauthenticated Data Overwrite via Snapshot Import

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-54061

The vulnerability resides in a service that listens on a public gRPC port by default. While this is a database component, the exposure of management or import RPCs on a public-facing interface in common deployment patterns makes it likely to be reachable from the internet if the port is not explicitly firewalled.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Dgraph, an open-source distributed GraphQL database. Prior to a recent update, an unauthenticated network client could import external data, potentially overwriting existing databases without authorization. The main concern is confirming relevance and exposure to this database technology.

  • Unauthenticated data import can overwrite databases.
  • It affects distributed GraphQL database technology.
  • Confirm if Dgraph is used and exposed.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by remotely connecting to a Dgraph Alpha instance's public gRPC port. By initiating a `StreamExtSnapshot` RPC, the attacker can send malicious data, leading to the deletion and replacement of existing database contents. This could result in significant data corruption or unauthorized data manipulation.

  • Unauthenticated network access required.
  • Triggered by external snapshot import RPC.
  • Risk of data deletion and modification.

Live Threat

Current exploitation, exposure, and threat context

In unsupported configurations, an unauthenticated network client could send external snapshot data to Dgraph Alpha, overwriting existing database contents. This occurs when the `StreamExtSnapshot` RPC is exposed on the public gRPC port without proper authentication, and the `Prepare()` operation is called before stream processing.

  • Database data integrity.
  • Via unauthenticated network access.
  • Total data loss or corruption.

Operational Fix

Recommended remediation, mitigation, and detection steps

System owners and platform teams are likely responsible for addressing this critical vulnerability in Dgraph Alpha, given its default exposure on a public gRPC port. The initial step involves identifying all Dgraph instances, assessing their network reachability, confirming business criticality, and assigning ownership for remediation. Planning should then focus on risk-based mitigation strategies, which may include vendor coordination or applying updates during planned maintenance windows.

  • Identify Dgraph instances and owners.
  • Verify network exposure and criticality.
  • Plan and execute remediation actions.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Dgraph?

Dgraph is an open-source, distributed database built specifically to serve GraphQL queries. It is commonly used in application architectures that require high performance and horizontal scalability for complex data relationships. The Dgraph Alpha component is a core part of the system responsible for data management and cluster operations.

What does CVE-2026-54061 mean?

This vulnerability is classified as CWE-306, which refers to a missing authentication for a critical function. In the context of this CVE, it means the database does not require credentials to perform administrative-level actions. Specifically, a remote party can invoke a function intended for data importing, effectively bypassing the security controls that should protect your database contents from unauthorized modifications.

How can an attacker trigger this issue?

The issue is triggered when an unauthenticated client connects to the Dgraph Alpha gRPC port and initiates a specific snapshot import procedure. It is important to note that the bug is tied to this specific RPC call; standard data queries or general database operations do not trigger this destructive behavior. The vulnerability occurs because the system fails to verify the sender's identity before allowing a stream of data to overwrite existing records.

Is my Dgraph instance at risk?

Halo Surface Signal indicates that because Dgraph Alpha listens on port 9080 by default, any instance accessible over the internet is at higher risk of being reachable by unauthorized parties. If your database is tucked behind strict network controls or firewalls that block external access to this port, the potential for exploitation is significantly lower than for publicly exposed instances.

How should I respond to this vulnerability?

Your first step is to locate all running Dgraph instances within your environment to determine which ones are reachable over the network. Once identified, evaluate the necessity of those connections and prioritize restricting access to the gRPC port. Finally, plan to update to version 25.3.5 or later, as this version contains the necessary patches to require proper authentication for these RPC operations.

References