Virtuoso 7.2.3217 Released

We are pleased to announce availability of a new minor release update to Virtuoso that includes an important security vulnerability fix associated with the default SPARQL endpoints.

Vulnerable Systems

Virtuoso Open Source and Commercial Editions, version 7.2.3, build-id 07.20.3216, and previous.


Certain SPARQL 1.1 INSERT and DELETE operations are possible through the default /sparql endpoint, which was meant to be read-only by default.

Recommended Resolution

Update to Virtuoso version 7.2.4, build-id 07.20.3217, or later.

As usual, this Commercial Edition v7 update is free for all licensed v7 users. Licensed users of Commercial Edition v6 may choose to purchase an upgrade to v7, or use the Alternate Resolution below.

Also as usual, users of the Open Source Edition may update via their normal channels, if the new version is available there, or build the update from source. Open Source Edition users may also choose to use the Alternate Resolution described below.

Current Commercial Installer Archives, including this fix

Alternate Resolution

The affected releases used Virtuoso’s coarse-grained SQL ROLE based Security [1] as the default /sparql endpoint protection method. As a workaround for these older releases, you can apply Virtuoso’s finer-grained Graph Security layer [2] to tighten default privileges across all or specific named graphs accessible via the default /sparql endpoint. The natural overhead required to process these ACLs is avoided with the updated Virtuoso server binary; hence our recommendation of that upgrade/update.

To protect all named graphs accessible via the endpoint, execute the following two iSQL commands (based on DB.DBA.RDF_DEFAULT_USER_PERMS_SET [3]), either through the Conductor web interface or the isql commandline tool. In each command, ‘nobody’ is the usually unnamed user which stands in for the DBMS system itself.

  • revoke all access to private named graphs for user ‘nobody’
  • grant READ access on public named graphs to user ‘nobody’

To protect specific named graphs, execute the following iSQL command (based on DB.DBA.RDF_GRAPH_GROUP_INS [4]), either through the Conductor web interface or the isql commandline tool, substituting the named graph IRI as shown:

  • Make Named Graph Private:
DB.DBA.RDF_GRAPH_GROUP_INS ( ‘' , ‘{named-graph-iri}’ ) ;
  • Example:


  1. Manual section — 6.1.3. Virtuoso User Model
  2. Manual section — 16.4. RDF Graphs Security
  4. Manual section — DB.DBA.RDF_GRAPH_GROUP_INS