CVE-2026-41492
published 2026-04-24CVE-2026-41492: Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.19%
80.2th percentile
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgraph-io | dgraph | < 25.3.3 | 25.3.3 |
| dgraph | dgraph | < 25.3.3 | 25.3.3 |
| github.com | dgraph-io_dgraph | 0 – 1.2.8 | — |
| github.com | dgraph-io_dgraph_v24 | 0 – 24.1.8 | — |
| github.com | dgraph-io_dgraph_v25 | >= 0 < 25.3.3 | 25.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
GET /debug/vars HTTP/1.x -> response body contains 'cmdline' AND 'token='
yara
regex: 'token=([^"\\]+)'
- →Send an unauthenticated HTTP GET to /debug/vars on Dgraph Alpha port; a vulnerable instance returns HTTP 200 with Content-Type: application/json and a body containing both 'cmdline' and 'token=' strings, leaking the admin token in plaintext.
- →Extract the admin token from the /debug/vars response body using the regex pattern 'token=([^"\]+)' and watch for subsequent requests carrying that value in the X-Dgraph-AuthToken header to admin-only endpoints. ↗
- →This is a variant of the previously patched /debug/pprof/cmdline exposure; the incomplete fix only blocked /debug/pprof/cmdline while leaving /debug/vars (served via http.DefaultServeMux / expvar) accessible without authentication. ↗
- →Shodan query 'Dgraph' can be used to identify internet-exposed Dgraph instances for proactive scanning.
- ·Vulnerability only affects Dgraph versions up to and including 25.3.2; version 25.3.3 contains the fix. Confirm the running version before treating a /debug/vars response as exploitable. ↗
- ·The admin token is only present in /debug/vars output when Dgraph Alpha was started with the --security 'token=...' flag; instances not using token-based auth will not expose a usable credential even if the endpoint is reachable. ↗
- ·The endpoint is served on the Dgraph Alpha HTTP port (not a separate admin port); network-level blocking of /debug/vars is a viable compensating control until patching is possible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
ghsa·2026-04-24
CVE-2026-41492 [CRITICAL] CWE-200 Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
### Summary
Dgraph `v25.3.2` still exposes the process command line through the unauthenticated `/debug/vars` endpoint on Alpha. Because the admin token is commonly supplied via the `--security "token=..."` startup flag, an unauthenticated attacker can retrieve that token and replay it in the `X-Dgraph-AuthToken` header to access admin-only endpoints.
This is a variant of the previously fixed `/debug/pprof/cmdline` issue, but the current fix is incomplete because it blocks only `/debug/pprof/cmdline` and still serves `http.DefaultServeMux`, which includes `expvar`'s `/debug/vars` handler.
### Details
Alpha still exposes Go's default HTTP mux:
- `x/metrics.go`
- imports `expvar`
- initializes
VulDB
dgraph-io dgraph 25.3.1/25.3.2 /debug/vars information disclosure (EUVD-2026-25599)
vuldb·2026-04-24·CVSS 9.8
CVE-2026-41492 [CRITICAL] dgraph-io dgraph 25.3.1/25.3.2 /debug/vars information disclosure (EUVD-2026-25599)
A vulnerability identified as problematic has been detected in dgraph-io dgraph 25.3.1/25.3.2. The impacted element is an unknown function of the file /debug/vars. Performing a manipulation results in information disclosure.
This vulnerability is reported as CVE-2026-41492. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
No detection rules found.
Nuclei
Dgraph <= 25.3.2 - Admin Token Disclosure
nuclei·CVSS 9.8
CVE-2026-41492 [CRITICAL] Dgraph <= 25.3.2 - Admin Token Disclosure
Dgraph <= 25.3.2 - Admin Token Disclosure
Dgraph <= 25.3.2 contains an information disclosure caused by unauthenticated access to the /debug/vars endpoint , which publishes the cmdline variable including the --security token= flag, letting unauthenticated remote attackers retrieve the admin token and access admin-only endpoints, exploit requires no authentication.
Template:
id: CVE-2026-41492
info:
name: Dgraph <= 25.3.2 - Admin Token Disclosure
author: Divine Balija
severity: critical
description: |
Dgraph <= 25.3.2 contains an information disclosure caused by unauthenticated access to the /debug/vars endpoint , which publishes the cmdline variable including the --security token= flag, letting unauthenticated remote attackers retrieve the admin token and access admin-only endpoints, e
No writeups or analysis indexed.
2026-04-24
Published