Ctrl + K
/ news / CVE
CVEPublished 2026-04-15Modified 2026-04-251 article on news5 live referencesNVD data

CVE-2026-40173Dgraph · Dgraph

Vulnerability data via NVD (ingested)

CVSS v3.1
9.4
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS percentile
31
Exploit Prediction Scoring System · top 69% of all CVEs
Weaknesses (CWE)
CWE-200Exposure of Sensitive Information to an Unauthorized ActorCWE-215Insertion of Sensitive Information Into Debugging CodeCWE-522Insufficiently Protected Credentials
Description

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints such as /admin/config/cache_mb, bypassing the adminAuthHandler token validation. This enables unauthorized privileged administrative access including configuration changes and operational control actions in any deployment where the Alpha HTTP port is reachable by untrusted parties. This issue has been fixed in version 25.3.2.

Timeline
Published 2026-04-15
Modified 2026-04-25

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag87 hosts
vuln:CVE-2026-40173
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Dgraph Dgraph"
All exposed Dgraph Dgraph instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Dgraph"
HTTP body or banner mentions "Dgraph" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-40173
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-40173
Censys host search filtered to this CVE id.
grep.app
CVE-2026-40173
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-40173
GitHub code search for direct mentions.
Google dork
"CVE-2026-40173" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub

No public proof-of-concept repositories found for CVE-2026-40173 on GitHub.
Articles on news mentioning CVE-2026-40173