Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
Published: 2026-04-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of admin token leading to authentication bypass
Action: Apply Patch
AI Analysis

Impact

Dgraph, an open‑source distributed GraphQL database, exposes the process command line through its unauthenticated /debug/vars endpoint on the Alpha API. The admin token is normally supplied via the --security "token=..." startup flag, so an attacker who reads /debug/vars can recover this token and reuse it in the X-Dgraph-AuthToken header to access privileged admin‑only endpoints. The flaw stems from an incomplete mitigation of a prior /debug/pprof/cmdline disclosure; the fix only blocked that handler and left the default HTTP multiplexer, which still serves the expvar /debug/vars endpoint. The vulnerability is a classic information‑leak (CWE-200) that can be turned into a full authentication bypass.

Affected Systems

The issue affects installations of dgraph-io:dgraph versions prior to 25.3.3. Any deployment that has the /debug/vars path enabled and that supplies an admin token via the --security flag is vulnerable. The affected component is the Alpha API server, which serves the expvar metrics endpoint without authorization.

Risk and Exploitability

The CVSS score of 9.8 marks this as critical. The EPSS score of less than 1% indicates exploitation probability is currently very low, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation. Nevertheless, an attacker who can reach the /debug/vars endpoint—such as through an exposed localhost interface or misconfigured network—can retrieve the admin token in one request, then replay it to any admin endpoint. The attack requires no authentication and can be performed entirely via HTTP GET, making it trivial in the correct environment.

Generated by OpenCVE AI on April 28, 2026 at 13:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dgraph to version 25.3.3 or later, which removes the /debug/vars handler from the default HTTP multiplexer.
  • Restrict network exposure of the Alpha API; place the /debug/vars endpoint behind an internal firewall or VPN and block access from untrusted networks.
  • If upgrading is not yet possible, temporarily disable the /debug/vars handler (e.g., remove the expvar registration or patch the HTTP multiplexer to exclude the endpoint).
  • Avoid passing the admin token via the command‑line flag; instead store it in a secure environment variable or secret store to reduce exposure in process listings.

Generated by OpenCVE AI on April 28, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vvf7-6rmr-m29q Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dgraph:dgraph:*:*:*:*:*:go:*:*

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Dgraph
Dgraph dgraph
Vendors & Products Dgraph
Dgraph dgraph

Fri, 24 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
Title Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dgraph Dgraph
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T19:13:03.267Z

Reserved: 2026-04-20T16:14:19.008Z

Link: CVE-2026-41492

cve-icon Vulnrichment

Updated: 2026-04-24T19:11:18.951Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T19:17:14.047

Modified: 2026-04-28T18:28:30.287

Link: CVE-2026-41492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:45:06Z

Weaknesses