CVE-2026-40173: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in dgraph-io dgraph
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.
AI Analysis
Technical Summary
Dgraph, an open source distributed GraphQL database, versions prior to 25.3.2 expose sensitive information through the /debug/pprof/cmdline endpoint, which is accessible without authentication. This endpoint reveals the full process command line, including the admin token configured via the --security "token=..." flag. An attacker can extract this token and reuse it in the X-Dgraph-AuthToken header to bypass admin authentication and access privileged administrative endpoints such as /admin/config/cache_mb. This allows unauthorized configuration changes and operational control on any deployment where the Alpha HTTP port is accessible by untrusted parties. The issue is resolved in version 25.3.2.
Potential Impact
The vulnerability allows unauthenticated attackers to obtain the admin token, enabling unauthorized privileged access to administrative endpoints. This can lead to unauthorized configuration changes and operational control over the Dgraph deployment. The impact includes full confidentiality and integrity compromise of the affected system, with limited availability impact. The CVSS 3.1 score of 9.4 reflects critical severity with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Upgrade Dgraph to version 25.3.2 or later, where this vulnerability is fixed. Until the upgrade is applied, restrict access to the Alpha HTTP port to trusted parties only to prevent unauthorized access to the /debug/pprof/cmdline endpoint. Patch status is confirmed fixed in version 25.3.2.
CVE-2026-40173: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in dgraph-io dgraph
Description
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.
CVSS v3.1
Score 9.4critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dgraph, an open source distributed GraphQL database, versions prior to 25.3.2 expose sensitive information through the /debug/pprof/cmdline endpoint, which is accessible without authentication. This endpoint reveals the full process command line, including the admin token configured via the --security "token=..." flag. An attacker can extract this token and reuse it in the X-Dgraph-AuthToken header to bypass admin authentication and access privileged administrative endpoints such as /admin/config/cache_mb. This allows unauthorized configuration changes and operational control on any deployment where the Alpha HTTP port is accessible by untrusted parties. The issue is resolved in version 25.3.2.
Potential Impact
The vulnerability allows unauthenticated attackers to obtain the admin token, enabling unauthorized privileged access to administrative endpoints. This can lead to unauthorized configuration changes and operational control over the Dgraph deployment. The impact includes full confidentiality and integrity compromise of the affected system, with limited availability impact. The CVSS 3.1 score of 9.4 reflects critical severity with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Upgrade Dgraph to version 25.3.2 or later, where this vulnerability is fixed. Until the upgrade is applied, restrict access to the Alpha HTTP port to trusted parties only to prevent unauthorized access to the /debug/pprof/cmdline endpoint. Patch status is confirmed fixed in version 25.3.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T20:59:17.618Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Epss Score
- 0.00118
- Epss Percentile
- 0.30362
- Epss Date
- 2026-04-26
- Gcve Source
- db.gcve.eu
Threat ID: 69dffcc482d89c981f9a5a10
Added to database: 4/15/2026, 9:01:56 PM
Last enriched: 4/22/2026, 11:15:14 PM
Last updated: 5/30/2026, 6:40:55 PM
Views: 109
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.