CVE-2026-40173
published 2026-04-15CVE-2026-40173: Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the…
PriorityP268critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.51%
39.5th percentile
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgraph-io | dgraph | < 25.3.2 | 25.3.2 |
| dgraph | dgraph | < 25.3.2 | 25.3.2 |
| github.com | dgraph-io_dgraph | 0 – 1.2.8 | — |
| github.com | dgraph-io_dgraph_v24 | 0 – 24.1.7 | — |
| github.com | dgraph-io_dgraph_v25 | >= 0 < 25.3.2 | 25.3.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
dgraph-io dgraph up to 25.3.1 /debug/pprof/cmdline cache_mb information disclosure (GHSA-95mq-xwj4-r47p)
vuldb·2026-04-16·CVSS 9.4
CVE-2026-40173 [CRITICAL] dgraph-io dgraph up to 25.3.1 /debug/pprof/cmdline cache_mb information disclosure (GHSA-95mq-xwj4-r47p)
A vulnerability, which was classified as problematic, was found in dgraph-io dgraph up to 25.3.1. This impacts the function cache_mb of the file /debug/pprof/cmdline. The manipulation results in information disclosure.
This vulnerability was named CVE-2026-40173. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
GHSA
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
ghsa·2026-04-16
CVE-2026-40173 [CRITICAL] CWE-200 Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
### Summary
An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from `--security "token=..."`.
This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in `X-Dgraph-AuthToken`.
### Details
The behavior occurs entirely within core Alpha HTTP routing and does not require any external proxy, plugin, or non-core integration.
The core issue is not that admin token protection is absent, but that the protected secret is exposed in cleartext through an unauthenticated core debug endp
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published