CVE-2026-40173: Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints

April 16, 2026 (updated April 27, 2026)

An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from --security "token=...".

This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in X-Dgraph-AuthToken.

References

github.com/advisories/GHSA-95mq-xwj4-r47p
github.com/dgraph-io/dgraph/releases/tag/v25.3.2
github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p
nvd.nist.gov/vuln/detail/CVE-2026-40173

Code Behaviors & Features

Detect and mitigate CVE-2026-40173 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →