Dgraph Unauthenticated Admin Token Disclosure Vulnerability
Dgraph versions 25.3.1 and prior expose the admin token via an unauthenticated endpoint, enabling attackers to gain administrative access by reusing the leaked token.
Dgraph is an open-source distributed GraphQL database. A critical vulnerability, CVE-2026-40173, affects Dgraph versions 25.3.1 and earlier. The vulnerability stems from the exposure of the /debug/pprof/cmdline endpoint on the default mux without requiring authentication. This endpoint discloses the full process command line, including the admin token configured through the --security "token=..." startup flag. Successful exploitation allows an attacker to retrieve the leaked token and use it within the X-Dgraph-AuthToken header. This bypasses the adminAuthHandler token validation, granting unauthorized access to admin-only endpoints such as /admin/config/cache_mb. This issue was resolved in Dgraph version 25.3.2. Defenders should prioritize detection and prevention of unauthorized access attempts leveraging this vulnerability.
Attack Chain
- Attacker sends an unauthenticated HTTP GET request to the
/debug/pprof/cmdlineendpoint on the Dgraph Alpha HTTP port. - The Dgraph server responds with the process command line, which includes the admin token configured with the
--security "token=..."flag. - Attacker extracts the admin token from the command line output.
- Attacker crafts an HTTP request to an admin-only endpoint, such as
/admin/config/cache_mb. - Attacker includes the extracted admin token in the
X-Dgraph-AuthTokenheader of the HTTP request. - The Dgraph server receives the request with the forged
X-Dgraph-AuthTokenheader. - Due to the vulnerability, the server incorrectly validates the forged token, granting the attacker access to the admin-only endpoint.
- Attacker performs unauthorized actions, such as modifying configuration settings or executing operational control functions.
Impact
Successful exploitation of CVE-2026-40173 allows attackers to gain unauthorized, privileged administrative access to Dgraph deployments. This can lead to unauthorized configuration changes, operational control actions, and potentially complete compromise of the database. The impact is particularly severe in deployments where the Alpha HTTP port is reachable by untrusted parties. There are currently no reports on the number of impacted organizations or specific sectors, but the severity score of 9.4 indicates a high risk of exploitation.
Recommendation
- Upgrade Dgraph to version 25.3.2 or later to remediate CVE-2026-40173.
- Deploy the Sigma rule "Detect Dgraph Admin Token Access via Debug Endpoint" to identify attempts to access the
/debug/pprof/cmdlineendpoint (see rule below). - Monitor web server logs for requests to admin-only endpoints with the
X-Dgraph-AuthTokenheader to detect exploitation attempts. - If upgrading is not immediately feasible, restrict access to the Dgraph Alpha HTTP port to trusted networks or hosts.
Detection coverage 2
Detect Dgraph Admin Token Access via Debug Endpoint
highDetects attempts to access the /debug/pprof/cmdline endpoint in Dgraph, potentially indicating an attempt to retrieve the admin token.
Detect Dgraph Admin Endpoint Access with X-Dgraph-AuthToken
criticalDetects access attempts to sensitive Dgraph admin endpoints using the X-Dgraph-AuthToken header.
Detection queries are available on the platform. Get full rules →