EXECUTIVE SUMMARY:
CVE-2026-40173 with a CVSS score of 9.4 is a critical vulnerability in Dgraph's Alpha HTTP server, affecting versions 25.3.1 and prior of go/github.com/dgraph-io/dgraph/v25, versions before 24.1.7 of go/github.com/dgraph-io/dgraph/v24, and versions before 1.2.8 of go/github.com/dgraph-io/dgraph. The vulnerability arises from the registration of the /debug/pprof/cmdline endpoint on the default mux, allowing unauthenticated access to the endpoint, which discloses the full process command line, including the admin token configured via the --security "token=..." startup flag. An attacker can exploit this vulnerability by sending a GET request to the /debug/pprof/cmdline endpoint, retrieving the leaked token, and reusing it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access, including configuration changes and operational control actions, in any deployment where the Alpha HTTP port is reachable by untrusted parties. The business impact and consequences of exploitation are significant, as an attacker can compromise the security and integrity of the system, potentially leading to data breaches, unauthorized access, and other malicious activities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40173 with a CVSS score of 9.4 is a critical vulnerability in Dgraph's Alpha HTTP server, affecting versions 25.3.1 and prior of go/github.com/dgraph-io/dgraph/v25, versions before 24.1.7 of go/github.com/dgraph-io/dgraph/v24, and versions before 1.2.8 of go/github.com/dgraph-io/dgraph. The vulnerability arises from the registration of the /debug/pprof/cmdline endpoint on the default mux, allowing unauthenticated access to the endpoint, which discloses the full process command line, including the admin token configured via the --security "token=..." startup flag. An attacker can exploit this vulnerability by sending a GET request to the /debug/pprof/cmdline endpoint, retrieving the leaked token, and reusing it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access, including configuration changes and operational control actions, in any deployment where the Alpha HTTP port is reachable by untrusted parties. The business impact and consequences of exploitation are significant, as an attacker can compromise the security and integrity of the system, potentially leading to data breaches, unauthorized access, and other malicious activities.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update go/github.com/dgraph-io/dgraph/v25 to version 25.3.2,
REFERENCES:
The following
reports contain further technical details:
https://github.com/advisories/GHSA-95mq-xwj4-r47p