CVE-2026-54061

Source
https://cve.org/CVERecord?id=CVE-2026-54061
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54061.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54061
Aliases
  • GHSA-rrwh-6jrq-wp5v
Published
2026-07-08T13:23:56.884Z
Modified
2026-07-09T04:02:06.049968924Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import
Details

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send Badger stream data to the target group’s store. In addition, the receiver calls Prepare() before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54061.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-306"
    ]
}
References

Affected packages

Git / github.com/dgraph-io/dgraph

Affected ranges

Type
GIT
Repo
https://github.com/dgraph-io/dgraph
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "25.3.5"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

Other
nightly
release/v20.*
release/v20.11-rc1
v0.*
v0.3
v0.4.0
v0.4.1
v0.4.2
v0.8.0
v0.8.1
v0.8.3
v0.9.0
v0.9.4
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.10-rc1
v1.0.11
v1.0.11-rc1
v1.0.11-rc2
v1.0.11-rc3
v1.0.11-rc4
v1.0.12-rc1
v1.0.12-rc2
v1.0.12-rc3
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.7
v1.0.7-rc2
v1.0.7-rc3
v1.0.7-rc4
v1.0.7a
v1.0.8
v1.0.8-rc1
v1.0.8-rc2
v1.0.9
v1.0.9-rc1
v1.0.9-rc2
v1.0.9-rc3
v1.0.9-rc4
v1.0.9-rc5
v1.1.0
v1.1.0-rc2
v1.1.0-rc3
v1.1.1
v1.1.1-rc1
v1.1.1-rc2
v1.2.0-rc1
v2.*
v2.0.0-beta1
v2.0.0-rc1
v20.*
v20.11.0-rc1
v21.*
v21.03.0
v21.03.1
v21.03.2
v22.*
v22.0.0
v22.0.0-RC1-20221003
v22.0.2
v23.*
v23.0.0
v23.0.0-beta1
v23.0.0-rc1
v23.0.1
v23.1.0
v23.1.0-rc1
v23.1.0-rc2
v24.*
v24.0.0
v24.0.0-alpha
v24.0.0-alpha2
v24.0.0-alpha3
v24.0.0-rc1
v24.0.1
v24.0.2
v24.0.2-rc1
v25.*
v25.0.0
v25.0.0-preview1
v25.0.0-preview2
v25.0.0-preview3
v25.0.0-preview4
v25.0.0-preview5
v25.0.0-preview6
v25.1.0
v25.1.0-preview1
v25.2.0
v25.3.0
v25.3.1
v25.3.2
v25.3.3
v25.3.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54061.json"