CVE-2026-40173
Received Received - Intake
Unauthenticated Credential Disclosure in Dgraph Alpha Enables Admin Access

Publication date: 2026-04-15

Last updated on: 2026-04-25

Assigner: GitHub, Inc.

Description
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40173
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dgraph dgraph to 25.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-215 The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dgraph versions 25.3.1 and earlier, where an unauthenticated endpoint (/debug/pprof/cmdline) exposes the full process command line, including the admin token configured at startup.

An attacker can access this endpoint without authentication, retrieve the admin token, and then use it to gain unauthorized privileged administrative access by bypassing token validation on admin-only endpoints.

Impact Analysis

The vulnerability allows an attacker to gain unauthorized privileged administrative access to the Dgraph database.

  • They can perform configuration changes.
  • They can execute operational control actions.

This can happen in any deployment where the Alpha HTTP port is accessible by untrusted parties, potentially compromising the integrity and availability of the database.

Detection Guidance

This vulnerability can be detected by checking if the /debug/pprof/cmdline endpoint is accessible without authentication on the Dgraph Alpha HTTP port. Accessing this endpoint reveals the full process command line including the admin token configured via the --security "token=..." startup flag.

A practical approach is to send an HTTP request to the /debug/pprof/cmdline endpoint on the Dgraph Alpha HTTP port and observe if the response contains the admin token.

  • Use curl to check the endpoint: curl http://<dgraph-alpha-host>:<port>/debug/pprof/cmdline
  • If the response includes the admin token or command line arguments with the token, the vulnerability is present.
Mitigation Strategies

The immediate mitigation step is to upgrade Dgraph to version 25.3.2 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the Alpha HTTP port to trusted parties only, preventing untrusted parties from reaching the vulnerable endpoint.

Additionally, consider firewall rules or network segmentation to limit exposure of the /debug/pprof/cmdline endpoint.

Compliance Impact

This vulnerability allows an attacker to gain unauthorized privileged administrative access by retrieving an exposed admin token. Such unauthorized access can lead to unauthorized configuration changes and operational control, potentially resulting in unauthorized data access or modification.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized administrative access and potential data exposure or manipulation could lead to violations of these regulations, which require strict controls on access to sensitive data and system integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart