CVE-2026-40173

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.2

Description An unauthenticated credential disclosure exists where the '/debug/pprof/cmdline' endpoint is registered on the default mux and accessible without authentication. This exposes the full process command line, including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve this token and use it in the X-Dgraph-AuthToken header to bypass the adminAuthHandler() token validation and gain unauthorized privileged administrative access to endpoints such as '/admin/config/cache mb'. This allows for unauthorized configuration changes and operational control actions if the Alpha HTTP port is reachable by untrusted parties.

Recommendations Update to version 25.3.2.