Skip to main content

Dgraph EUVDEUVD-2026-23117

| CVE-2026-40173 CRITICAL
Information Exposure (CWE-200)
2026-04-15 GitHub_M GHSA-95mq-xwj4-r47p
9.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

9
Patch released
Apr 25, 2026 - 18:27 nvd
Patch available
Re-analysis Queued
Apr 16, 2026 - 13:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:33 vuln.today
v2 (patch_released)
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
25.3.2
Analysis Generated
Apr 16, 2026 - 00:19 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 21:15 euvd
EUVD-2026-23117
Analysis Generated
Apr 15, 2026 - 21:15 vuln.today
CVE Published
Apr 15, 2026 - 20:40 nvd
CRITICAL 9.4

DescriptionGitHub Advisory

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.

AnalysisAI

Dgraph distributed GraphQL database versions ≤25.3.1 expose admin authentication tokens through an unauthenticated /debug/pprof/cmdline endpoint, allowing remote attackers to retrieve the token from process command line arguments and gain full administrative access to the database. The vulnerability combines unauthenticated information disclosure (CWE-200) with subsequent authentication bypass, enabling configuration changes and operational control. Fixed in version 25.3.2 per vendor advisory GHSA-95mq-xwj4-r47p. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation against default configurations with no authentication required.

Technical ContextAI

Dgraph is a distributed GraphQL database written in Go. The vulnerability stems from improper exposure of Go's built-in pprof debugging endpoints on the default HTTP multiplexer without authentication middleware. The /debug/pprof/cmdline endpoint, intended for performance profiling during development, reflects the complete process startup command including all arguments. Dgraph's security model uses a shared secret token passed via the --security 'token=...' command-line flag for admin authentication, validated through adminAuthHandler middleware checking the X-Dgraph-AuthToken HTTP header. By exposing the raw command line (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), attackers obtain this token and can trivially bypass authentication on privileged endpoints like /admin/config/cache_mb. This architectural flaw affects all deployments where the Alpha node's HTTP port (default 8080) is network-accessible, common in cloud deployments or internal networks without strict segmentation.

RemediationAI

Upgrade to Dgraph version 25.3.2 or later immediately, available at https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2. The patch removes or properly protects the pprof debug endpoints from unauthenticated access. Post-upgrade, rotate all admin tokens configured via --security flags, as previously exposed tokens remain valid until changed. For environments where immediate patching is not feasible, implement compensating controls: (1) Block external access to the Alpha HTTP port (default 8080) using firewall rules, allowing only authenticated application servers - trade-off: breaks direct client access patterns requiring architectural changes, (2) Deploy a reverse proxy with authentication in front of Dgraph, explicitly blocking /debug/* paths - trade-off: adds latency and operational complexity, (3) Rotate admin tokens immediately and use network segmentation to limit blast radius - trade-off: does not fix the vulnerability, only reduces window of exposure until next rotation. None of these workarounds fully mitigate the issue; version upgrade is the only complete remediation.

Share

EUVD-2026-23117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy