{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40173", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T20:59:17.618Z", "datePublished": "2026-04-15T20:40:47.186Z", "dateUpdated": "2026-04-16T12:05:10.186Z"}, "containers": {"cna": {"title": "Dgraph: Unauthenticated pprof endpoint leaks admin auth token", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-215", "lang": "en", "description": "CWE-215: Insertion of Sensitive Information Into Debugging Code", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"}, {"name": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2"}], "affected": [{"vendor": "dgraph-io", "product": "dgraph", "versions": [{"version": "< 25.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T20:40:47.186Z"}, "descriptions": [{"lang": "en", "value": "Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security \"token=...\" startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2."}], "source": {"advisory": "GHSA-95mq-xwj4-r47p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:26:03.429575Z", "id": "CVE-2026-40173", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:05:10.186Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40173", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T20:59:17.618Z", "datePublished": "2026-04-15T20:40:47.186Z", "dateUpdated": "2026-04-16T12:05:10.186Z"}, "containers": {"cna": {"title": "Dgraph: Unauthenticated pprof endpoint leaks admin auth token", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-215", "lang": "en", "description": "CWE-215: Insertion of Sensitive Information Into Debugging Code", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"}, {"name": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2"}], "affected": [{"vendor": "dgraph-io", "product": "dgraph", "versions": [{"version": "< 25.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T20:40:47.186Z"}, "descriptions": [{"lang": "en", "value": "Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security \"token=...\" startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2."}], "source": {"advisory": "GHSA-95mq-xwj4-r47p", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40173", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T11:26:03.429575Z"}}}], "references": [{"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:26:13.684Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security \"token=...\" startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2."}], "id": "CVE-2026-40173", "lastModified": "2026-04-16T13:16:49.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T21:17:27.197", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-215"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.3.2)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "dgraph", "source": "cna", "vendor": "dgraph-io"}, "product": "dgraph", "vendor": "dgraph"}], "analysis": {"en": {"generated_at": "2026-04-16T02:19:46.422012+00:00", "value": {"mitigation_remediation": ["Upgrade Dgraph to version 25.3.2 or later, which removes the vulnerable pprof endpoint.", "If upgrading is not immediately possible, restrict access to the /debug/pprof/cmdline path by firewalling the Alpha port or by configuring the server to expose the endpoint only on localhost.", "Rotate or revoke any previously leaked admin tokens and ensure that the --security token flag is updated to a new value or removed."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized privileged administrative access"}, "threat_synthesis": {"affected_systems": "Vulnerable products are the dgraph-io dgraph 25.3.1 and earlier releases. The issue exists when the Alpha HTTP port is reachable by untrusted network participants. Any deployment of these versions in an unprotected environment is susceptible.", "description_and_impact": "Dgraph exposes the full process command line through the /debug/pprof/cmdline endpoint without requiring authentication. The command line contains the admin token defined by the --security \"token=...\" flag, which attackers can capture and embed in the X-Dgraph-AuthToken header to bypass the adminAuthHandler. This allows read/write access to admin\u2011only routes, including configuration changes and operational controls, effectively granting full administrative privileges for any deployment with an exposed Alpha HTTP port.", "risk_and_exploitability": "The vulnerability has a CVSS base score of 9.4, indicating critical severity. No EPSS score is available, and it is not listed in the CISA KEV catalog, but the absence of authentication and the ubiquity of the exposed endpoint make exploitation straightforward for anyone with network access to the target service. The attack vector is a simple unauthenticated HTTP request to the pprof endpoint, enabling credential disclosure and subsequent privilege escalation."}}}}, "created": "2026-04-16T02:30:21.680672+00:00", "updated": "2026-04-16T09:00:05.123998+00:00", "vendors": ["dgraph", "dgraph$PRODUCT$dgraph"]}