Skip to main content

Dgraph CVE-2026-41492

| EUVDEUVD-2026-25599 CRITICAL
Information Exposure (CWE-200)
2026-04-24 https://github.com/dgraph-io/dgraph GHSA-vvf7-6rmr-m29q
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 28, 2026 - 18:28 nvd
Patch available
Patch available
Apr 24, 2026 - 20:17 EUVD
Re-analysis Queued
Apr 24, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 16:30 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 16:15 euvd
EUVD-2026-25599
Analysis Generated
Apr 24, 2026 - 16:15 vuln.today
CVE Published
Apr 24, 2026 - 16:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints.

This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler.

Details

Alpha still exposes Go's default HTTP mux:

  • x/metrics.go
  • imports expvar
  • initializes Conf = expvar.NewMap("dgraph_config")
  • Go's expvar package automatically registers /debug/vars
  • expvar publishes:
  • cmdline = os.Args
  • memstats = runtime.Memstats

Alpha's HTTP handler explicitly blocks only the old CVE path:

  • dgraph/cmd/alpha/run.go
  • checks if r.URL.Path == "/debug/pprof/cmdline" and returns 404
  • otherwise falls through to http.DefaultServeMux.ServeHTTP(w, r)

Admin endpoints still trust the leaked token:

  • dgraph/cmd/alpha/admin.go
  • reads X-Dgraph-AuthToken
  • compares it to worker.Config.AuthToken

PoC

  1. Send an unauthenticated request to Alpha:
http
GET /debug/vars HTTP/1.1
Host: target:8080
  1. Parse the JSON response and read the cmdline field.
  2. Extract the admin token from the startup arguments, for example:
text
--security token=debug-vars-secret;
  1. Replay the token to an admin-only endpoint:
http
GET /admin/config/cache_mb HTTP/1.1
Host: target:8080
X-Dgraph-AuthToken: debug-vars-secret
  1. The request is accepted as an authorized admin request.

This was reproduced against dgraph/dgraph:v25.3.2 in Docker.

Observed behavior:

  • unauthenticated /debug/vars leaked the configured token
  • replaying the leaked token in X-Dgraph-AuthToken successfully accessed /admin/config/cache_mb
  • response body was:
text
4096

It was verified that the old CVE path appears specifically patched in the same version:

  • /debug/pprof/cmdline returned 404 Not Found
  • /debug/pprof/ remained reachable

Impact

Unauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access.

This enables privileged admin operations such as:

  • reading privileged admin configuration
  • mutating admin configuration
  • performing operational control actions gated by X-Dgraph-AuthToken

In deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.

AnalysisAI

Unauthenticated attackers can steal admin tokens from Dgraph Alpha v25.3.2 and earlier via the exposed /debug/vars endpoint, enabling complete authentication bypass to administrative functions. The vulnerability exists because Dgraph incompletely fixed a previous cmdline exposure issue-blocking only /debug/pprof/cmdline while still serving Go's expvar handler at /debug/vars, which publishes the full command-line arguments including --security token= flags. Attackers can retrieve the token remotely without authentication (CVSS AV:N/PR:N) and replay it in X-Dgraph-AuthToken headers to access admin-only endpoints. Vendor patch released in v25.3.3 per GitHub advisory GHSA-vvf7-6rmr-m29q. No public exploit identified at time of analysis, but detailed proof-of-concept steps are published in the advisory.

Technical ContextAI

Dgraph is a distributed graph database written in Go. The vulnerability stems from incomplete remediation of a previous information disclosure issue. Dgraph's Alpha component (the data-serving node) imports Go's expvar package for metrics collection, which automatically registers the /debug/vars HTTP handler on the default ServeMux. This handler exposes runtime diagnostics including os.Args (command-line arguments) in JSON format. While developers blocked the previously exploited /debug/pprof/cmdline path with a hardcoded 404 check, they continued serving http.DefaultServeMux for all other paths, leaving expvar's /debug/vars endpoint exposed. The root cause falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) because the application leaks authentication credentials through a debug interface. Affected CPE identifiers include pkg:go/github.com_dgraph-io_dgraph across v24.x and v25.x branches. The authentication mechanism in dgraph/cmd/alpha/admin.go validates admin requests by comparing the X-Dgraph-AuthToken header against worker.Config.AuthToken, which is typically set via the --security token= startup flag-the same flag exposed in /debug/vars.

RemediationAI

Upgrade immediately to Dgraph v25.3.3 released at https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3, which addresses the /debug/vars exposure. For deployments that cannot immediately upgrade, implement these compensating controls in order of effectiveness: (1) Configure admin tokens via environment variables or configuration files instead of command-line flags to prevent leakage through cmdline exposure-note this requires application restart and deployment automation changes. (2) Block external access to all /debug/* paths at the network perimeter (firewall, reverse proxy, ingress controller) using path-based filtering rules-this prevents token leakage but does not fix the underlying exposure and may impact legitimate debugging workflows. (3) Restrict Alpha HTTP port (default 8080) to trusted internal networks only via firewall rules-this reduces attack surface but breaks any legitimate external API access. (4) Deploy Alpha nodes behind authentication-enforcing reverse proxies that strip /debug/* requests before reaching Dgraph-adds architectural complexity and latency. Each workaround trades operational convenience or functionality for security. Only the vendor patch (v25.3.3) comprehensively resolves the issue. Verify remediation by confirming GET /debug/vars returns 404 or 403 after upgrade.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-41492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy