CVE-2026-40173

Dgraph · Dgraph

Dgraph versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability via the /debug/pprof/cmdline endpoint, leaking admin tokens.

Executive summary

An unauthenticated credential disclosure in Dgraph allows attackers to steal administrative tokens and gain full operational control over the database.

Vulnerability

This is an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint exposes sensitive configuration flags, including the admin token, which can then be reused to bypass authentication.

Business impact

This vulnerability carries a CVSS score of 9.4, indicating critical risk. An attacker can gain full administrative control over the Dgraph database, allowing them to modify configurations, access sensitive data, or disrupt operations, leading to significant potential for data breaches and service outages.

Remediation

Immediate Action: Upgrade Dgraph to version 25.3.2 or later to remediate the endpoint exposure and token handling logic.

Proactive Monitoring: Review access logs for unauthorized requests to /debug/pprof/ endpoints and monitor for unexpected administrative configuration changes.

Compensating Controls: Ensure the Alpha HTTP port is protected by network-level access controls (e.g., firewalls or VPC security groups) to prevent access by untrusted parties.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The exposure of administrative credentials via an unauthenticated endpoint is a severe security oversight. Administrators must upgrade to version 25.3.2 immediately and verify that no unauthorized administrative tokens were generated or utilized during the period the service was exposed.