CVE-2026-40173

CVE-2026-40173 is an unauthenticated credential disclosure vulnerability affecting Dgraph, an open source distributed GraphQL database, in versions 25.3.1 and prior. The issue stems from the /debug/pprof/cmdline endpoint being registered on the default mux and accessible without authentication, which exposes the full process command line. This includes the admin token configured via the --security "token=..." startup flag, enabling attackers to extract sensitive credentials directly.

Any unauthenticated attacker with network access to the Dgraph Alpha HTTP port can exploit this vulnerability. By querying the exposed endpoint, they retrieve the leaked admin token and reuse it in the X-Dgraph-AuthToken header to bypass the adminAuthHandler validation. This grants unauthorized access to admin-only endpoints, such as /admin/config/cache_mb, allowing privileged administrative actions like configuration changes and operational control in deployments exposed to untrusted parties. The CVSS v3.1 base score is 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), with associated CWEs 200 (Exposure of Sensitive Information), 215 (Improper Handling of Credentials), and 522 (Insufficiently Protected Credentials).

The vulnerability has been fixed in Dgraph version 25.3.2, as detailed in the release notes at https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2 and the security advisory at https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p. Security practitioners should upgrade to the patched version and review exposures of the Alpha HTTP port to mitigate risks.