Platform
go
Component
dgraph
Fixed in
25.3.3
25.3.2
CVE-2026-40173 is a critical vulnerability affecting Dgraph Alpha versions 25.3.1 and earlier. It involves an unauthenticated debug endpoint that inadvertently exposes the Dgraph Alpha process command line, including the configured admin token. This leakage allows attackers to gain unauthorized administrative access, potentially leading to complete control of the Dgraph instance. A fix is available in version 25.3.2.
The primary impact of CVE-2026-40173 is the unauthorized disclosure of the Dgraph Alpha admin token. While the token validation logic itself remains intact, the exposure of this credential bypasses authentication entirely. An attacker can simply reuse the leaked token in the X-Dgraph-AuthToken header to gain full administrative privileges. This grants them the ability to read, write, and delete data, modify the Dgraph configuration, and potentially compromise the entire system. The lack of authentication required for accessing the debug endpoint significantly broadens the attack surface, making exploitation trivial. This vulnerability is similar in impact to credential leakage vulnerabilities found in other database systems, where exposed credentials can lead to complete system takeover.
CVE-2026-40173 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity of the vulnerability make it a high-priority concern. No public proof-of-concept exploits have been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.12% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40173 is to immediately upgrade Dgraph Alpha to version 25.3.2 or later, which addresses the exposed debug endpoint. If upgrading is not immediately feasible, consider temporarily disabling the debug endpoint by modifying the Dgraph Alpha configuration and removing the --security "token=..." parameter. While this reduces functionality, it prevents the token from being exposed. Monitor Dgraph Alpha logs for any unusual activity or attempts to access the debug endpoint. After upgrading, confirm the fix by attempting to access the debug endpoint with an unauthenticated request; it should return an error indicating access is denied.
Update to version 25.3.2 or later to mitigate the vulnerability. This version fixes the issue by removing the /debug/pprof/cmdline endpoint from the default mux, preventing the admin token from being exposed.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40173 is a critical vulnerability in Dgraph Alpha where an unauthenticated debug endpoint leaks the admin token, allowing unauthorized access.
Yes, if you are running Dgraph Alpha versions 25.3.1 or earlier, you are affected by this vulnerability.
Upgrade Dgraph Alpha to version 25.3.2 or later to resolve the issue. Alternatively, temporarily disable the debug endpoint in the configuration.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the official Dgraph security advisory for detailed information and updates: [https://github.com/dgraph-io/dgraph/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.