Plattform
go
Komponente
dgraph
Behoben in
25.3.3
25.3.2
CVE-2026-40173 is a critical vulnerability affecting Dgraph Alpha versions 25.3.1 and earlier. It involves an unauthenticated debug endpoint that inadvertently exposes the Dgraph Alpha process command line, including the configured admin token. This leakage allows attackers to gain unauthorized administrative access, potentially leading to complete control of the Dgraph instance. A fix is available in version 25.3.2.
The primary impact of CVE-2026-40173 is the unauthorized disclosure of the Dgraph Alpha admin token. While the token validation logic itself remains intact, the exposure of this credential bypasses authentication entirely. An attacker can simply reuse the leaked token in the X-Dgraph-AuthToken header to gain full administrative privileges. This grants them the ability to read, write, and delete data, modify the Dgraph configuration, and potentially compromise the entire system. The lack of authentication required for accessing the debug endpoint significantly broadens the attack surface, making exploitation trivial. This vulnerability is similar in impact to credential leakage vulnerabilities found in other database systems, where exposed credentials can lead to complete system takeover.
CVE-2026-40173 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity of the vulnerability make it a high-priority concern. No public proof-of-concept exploits have been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Dgraph Alpha in production environments, particularly those relying on the admin token for access control, are at significant risk. Deployments with default configurations or those that have not implemented robust security practices are especially vulnerable. Shared hosting environments where multiple users share a Dgraph instance are also at increased risk.
• linux / server:
journalctl -u dgraph -g "debug endpoint"• generic web:
curl -I http://<dgraph_alpha_ip>:8080/_debug/ | grep -i "X-Dgraph-AuthToken"disclosure
Exploit-Status
EPSS
0.12% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40173 is to immediately upgrade Dgraph Alpha to version 25.3.2 or later, which addresses the exposed debug endpoint. If upgrading is not immediately feasible, consider temporarily disabling the debug endpoint by modifying the Dgraph Alpha configuration and removing the --security "token=..." parameter. While this reduces functionality, it prevents the token from being exposed. Monitor Dgraph Alpha logs for any unusual activity or attempts to access the debug endpoint. After upgrading, confirm the fix by attempting to access the debug endpoint with an unauthenticated request; it should return an error indicating access is denied.
Actualice a la versión 25.3.2 o posterior para mitigar la vulnerabilidad. Esta versión corrige el problema al eliminar el endpoint /debug/pprof/cmdline del mux predeterminado, evitando la exposición del token de administrador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40173 is a critical vulnerability in Dgraph Alpha where an unauthenticated debug endpoint leaks the admin token, allowing unauthorized access.
Yes, if you are running Dgraph Alpha versions 25.3.1 or earlier, you are affected by this vulnerability.
Upgrade Dgraph Alpha to version 25.3.2 or later to resolve the issue. Alternatively, temporarily disable the debug endpoint in the configuration.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the official Dgraph security advisory for detailed information and updates: [https://github.com/dgraph-io/dgraph/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.