CVE-2026-40173

Published: Apr 15, 2026 Last Modified: Apr 16, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,4

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: low

Description

AI Translation Available

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security 'token=...' startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0010

Percentile

0,3th

Updated

Single Data Point

Only one EPSS measurement is available for this CVE. Trend analysis requires multiple data points over time.

200

Exposure of Sensitive Information to an Unauthorized Actor

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

Technologies: Mobile, Not Technology-Specific, Web Based

Likelihood of Exploit: High

View CWE Details

215

Insertion of Sensitive Information Into Debugging Code

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/dgraph-io/dgraph/security/advisories/GHS…

https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p

https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2

https://github.com/dgraph-io/dgraph/security/advisories/GHS…

https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p

CVE-2026-40173

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

Single Data Point

Exposure of Sensitive Information to an Unauthorized Actor

Common Consequences

Applicable Platforms

Insertion of Sensitive Information Into Debugging Code

Common Consequences

Applicable Platforms

Iscriviti alla newsletter