External risk intelligence

Dgraph database leaks admin token allowing unauthorized control

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-40173

An external attacker can access an unprotected part of the Dgraph database to steal security credentials. This gives them full administrative control over the system, allowing them to change sensitive configurations and operations.

2Halo Surface Signal

Information Disclosure

Dgraph

before 25.3.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-40173

Dgraph is a backend database typically deployed within private or internal networks. While the service is network-reachable in many environments, direct exposure of its database management ports to the public internet is not a standard design pattern and is usually considered a misconfiguration or uncommon deployment.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Dgraph, a distributed GraphQL database, allows unauthorized access to sensitive information. The issue involves an endpoint that exposes administrative credentials, enabling anyone to gain privileged access and make configuration changes or take operational control. This is a critical risk for deployments where the database management port is accessible from the internet.

Unauthenticated users can access credentials.
Compromised credentials grant admin control.
Affects internet-accessible deployments.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by accessing the `/debug/pprof/cmdline` endpoint without authentication, which leaks the admin token. This token can then be used to access sensitive admin endpoints and gain unauthorized control over the database.

No authentication required.
Target: `/debug/pprof/cmdline` endpoint.
Admin token must be exposed.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to dislike weaponizing this CVE because it targets a backend database system not typically exposed directly to the internet. The primary attack vector requires that the Dgraph Alpha HTTP port be reachable by untrusted parties, which is an uncommon deployment scenario that suggests a misconfigured environment. This limits the potential impact and therefore the attractiveness of developing exploits.

Exploitation is unlikely without misconfiguration.
No public exploits are observed.
Recency signal: patched in April 2026.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of Dgraph to version 25.3.2 to address the unauthenticated credential disclosure vulnerability. If patching is delayed, restrict network access to the Alpha HTTP port and monitor for unauthorized access attempts to admin endpoints.

Update Dgraph to 25.3.2.
Block external access to Alpha HTTP port.
Monitor for token-based admin endpoint access.

Frequently asked questions

What is Dgraph and what is it used for?

Dgraph is an open-source distributed GraphQL database. It is used for storing and querying data using the GraphQL query language, making it a powerful tool for modern application development where flexible data relationships are important.

How does CVE-2026-40173 allow unauthorized access?

This vulnerability is an unauthenticated credential disclosure, specifically a CWE-200 (Information Exposure) and CWE-215 (Information Exposure Through External Control of File Name or Path). An unauthenticated attacker can access the /debug/pprof/cmdline endpoint, which reveals the administrator token. This token is then used to bypass security and gain administrative control.

What are the conditions needed to trigger this vulnerability?

An attacker needs to be able to reach the Dgraph Alpha HTTP port from an untrusted network. The vulnerability is triggered when an unauthenticated request is made to the /debug/pprof/cmdline endpoint. If the Dgraph instance is configured with an admin token using the --security "token=..." startup flag, this token will be exposed.

Who should be concerned about this Dgraph vulnerability?

Organizations running Dgraph, especially those with their Alpha HTTP port accessible from the internet, should be concerned. While Dgraph is typically an internal system, any exposure to untrusted parties, even if unintentional, presents a risk of unauthorized administrative access and control. [cite:haloSurfaceSignal]

What is the first step to address this CVE threat?

The immediate and most crucial step is to update Dgraph to version 25.3.2, which contains the fix for this vulnerability. If immediate patching is not possible, restrict network access to the Dgraph Alpha HTTP port to prevent external access.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.