Critical Dgraph Flaw Leaks Admin Tokens, Bypassing Authentication

/CRITICAL
SCW vulnerabilitycvecriticalhigh-severitycwe-200cwe-215
Critical Dgraph Flaw Leaks Admin Tokens, Bypassing Authentication

A critical unauthenticated credential disclosure vulnerability, tracked as CVE-2026-40173, has been identified in Dgraph, the open-source distributed GraphQL database. According to the National Vulnerability Database, versions 25.3.1 and earlier are susceptible to this flaw, which could grant unauthorized administrative access.

The core of the issue lies in Dgraph’s /debug/pprof/cmdline endpoint. This endpoint, registered on the default mux, is accessible without any authentication. It inadvertently exposes the full process command line, which critically includes the admin token configured via the --security "token=..." startup flag. An attacker can simply retrieve this leaked token and then reuse it in the X-Dgraph-AuthToken header to access admin-only endpoints, such as /admin/config/cache_mb. This effectively bypasses Dgraph’s adminAuthHandler token validation, handing over privileged administrative control, including configuration modifications and operational actions.

The impact is severe for any deployment where the Alpha HTTP port is reachable by untrusted parties. The National Vulnerability Database has assigned this a CVSS score of 9.4 (CRITICAL). Fortunately, Dgraph has addressed this security hole in version 25.3.2, and users are strongly advised to upgrade immediately.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

7 rules · 6 SIEM formats

7 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-40173

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

7 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40173 Information Disclosure Dgraph versions 25.3.1 and prior
CVE-2026-40173 Information Disclosure Unauthenticated access to /debug/pprof/cmdline endpoint
CVE-2026-40173 Auth Bypass Leaked admin token from --security "token=..." startup flag
CVE-2026-40173 Auth Bypass Unauthorized access to /admin/config/cache_mb using X-Dgraph-AuthToken header

By Shimi's Cyber World Editorial

Related Posts

ArgoCD Image Updater Flaw Bypasses Namespace Boundaries

CVE-2026-6388 — A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in...

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-1220
/CRITICAL /⚑ 3 IOCs

CVE-2026-40500 — The Admin Panel'S 'Add Module From URL' Feature That Server-Side Request Forgery

CVE-2026-40500 — ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows...

vulnerabilityCVEserver-side-request-forgerycwe-918
/MEDIUM /⚑ 2 IOCs

Composer Command Injection: Malicious Repositories are a New Vector

CVE-2026-40261 — Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase()...

vulnerabilityCVEhigh-severitycommand-injectioncwe-20cwe-78
/HIGH /⚑ 5 IOCs