GHSA-P749-9W62-W533 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Summary The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. Details A blank import of net/http/pprof...

PT-2026-50978

Name of the Vulnerable Software and Affected Versions Tilt versions 0.19.5 through 0.37.3 Description The Tilt HUD server mounts Go's net/http/pprof handlers under the '/debug' endpoint without access control. When the HUD is network-exposed, an unauthenticated caller can read process memory via...

GHSA-J93G-RP6M-J32M Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

PT-2026-48807

Name of the Vulnerable Software and Affected Versions Arc versions prior to 26.06.1 Description Arc registers Go net/http/pprof handlers at the /debug/pprof/ endpoint. Due to a configuration where /debug/pprof is added to PublicPrefixes and the authentication middleware short-circuits before toke...

CVE-2026-40173

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line...

VulnCheck KEV: CVE-2025-60021

Remote command injection vulnerability in heap profiler builtin service in Apache bRPC all versions 1.15.0 on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service /pprof/heap does not validate the user-provided extraoptions parameter and...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

CVE-2026-40173 Dgraph: Unauthenticated pprof endpoint leaks admin auth token

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line...

CVE-2026-40173

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line...

CVE-2026-40173 Dgraph: Unauthenticated pprof endpoint leaks admin auth token

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line...

CVE-2026-40173

Dgraph (Open Source GraphQL DB) versions

PT-2026-33176

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.2 Description An unauthenticated credential disclosure exists where the '/debug/pprof/cmdline' endpoint is registered on the default mux and accessible without authentication. This exposes the full process command...

GO-2026-4334 Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet

Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet...

PT-2026-6509

Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet...

📄 Apache bRPC 1.14.0 Command Injection

Apache bRPC versions 1.14.0 and below proof of concept command injection exploit that leverages exposed pprof endpoints. ============================================================================================================================================= | Title : Apache bRPC = 1.14.0...

CVE-2026-23517

Fleet (open source device management software) has a broken access control vulnerability in debug/pprof endpoints that allows any authenticated user, including the lowest-privilege Observer role, to access internal server diagnostics and trigger CPU-intensive profiling operations. This affects ve...