Overview
CVE-2026-54061 is a critical vulnerability in Dgraph, an open-source distributed GraphQL database. The vulnerability exposes the RPCs used for external snapshot import on the public gRPC port without authentication or authorization. This allows an unauthenticated network client to open `StreamExtSnapshot` and send Badger stream data to the target group's store, effectively deleting and replacing existing DB data. The vulnerability is patched in version 25.3.5.
Understanding the Vulnerability / Threat
Root Cause Analysis
The root cause of CVE-2026-54061 is the lack of authentication and authorization for RPCs used for external snapshot import on the public gRPC port `:9080`. This design issue falls under CWE-306, which involves the absence of authentication.
Attack Surface & Vector
The vulnerability lives in the Dgraph Alpha component, specifically on the public gRPC port `:9080`. An attacker can reach this vulnerability through a network-adjacent or remote unauthenticated connection. The preconditions needed are minimal, as the attacker does not require any authentication or authorization.
Exploitation Mechanics — Scenario Walkthrough
Scenario: Compromising a Dgraph Instance via Unauthenticated Snapshot Import
1. Initial Position: The attacker has network access to the Dgraph Alpha instance on port `:9080`.
2. Triggering the Flaw: The attacker crafts a gRPC request to the `StreamExtSnapshot` endpoint, sending Badger stream data to the target group's store. The request is unauthenticated and unauthorized.
3. What Breaks: The receiver calls `Prepare()` before processing the stream, which deletes and replaces the existing DB data. This operation bypasses security checks, allowing the attacker to manipulate the database.
4. Attacker's Prize: The attacker gains the ability to delete and replace existing DB data, potentially leading to data loss, corruption, or unauthorized changes.
Real-World Impact
An attacker exploiting CVE-2026-54061 can achieve significant impact, including data loss, corruption, or unauthorized changes to the database. This could lead to various outcomes, such as data theft, lateral movement, or disruption of service.
Detection & Defense
Immediate Mitigations
- Upgrade Dgraph to version 25.3.5 or later.
- Restrict access to the gRPC port `:9080` to only trusted networks or clients.
- Implement authentication and authorization for RPCs used for external snapshot import.
Detection Strategies
- Monitor gRPC traffic on port `:9080` for suspicious or unauthorized requests.
- Implement SIEM rules to detect and alert on potential exploitation attempts.
- Use network signatures or behavioral indicators to identify potential attacks.
Long-Term Hardening
- Implement robust authentication and authorization mechanisms for all RPCs.
- Regularly update and patch Dgraph instances to prevent exploitation of known vulnerabilities.
- Conduct regular security audits and penetration testing to identify potential weaknesses.
Key Takeaways
- CVE-2026-54061 is a critical vulnerability in Dgraph that allows unauthenticated snapshot import.
- The vulnerability is caused by the lack of authentication and authorization for RPCs on the public gRPC port.
- Exploitation can lead to data loss, corruption, or unauthorized changes.
- Immediate mitigations include upgrading to version 25.3.5 or later and restricting access to the gRPC port.
- Long-term hardening involves implementing robust authentication and authorization mechanisms.
Sources
- National Vulnerability Database (NVD)
- Dgraph security advisories