cbcvebase.
CVE-2026-41492
published 2026-04-24

CVE-2026-41492: Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.19%
80.2th percentile
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.

Affected

5 ranges
VendorProductVersion rangeFixed in
dgraph-iodgraph< 25.3.325.3.3
dgraphdgraph< 25.3.325.3.3
github.comdgraph-io_dgraph0 – 1.2.8
github.comdgraph-io_dgraph_v240 – 24.1.8
github.comdgraph-io_dgraph_v25>= 0 < 25.3.325.3.3

Detection & IOCsextracted from sources · hover to see the quote

url/debug/vars
otherX-Dgraph-AuthToken: <token>
command--security "token=..."
sigma
GET /debug/vars HTTP/1.x -> response body contains 'cmdline' AND 'token='
yara
regex: 'token=([^"\\]+)'
  • Send an unauthenticated HTTP GET to /debug/vars on Dgraph Alpha port; a vulnerable instance returns HTTP 200 with Content-Type: application/json and a body containing both 'cmdline' and 'token=' strings, leaking the admin token in plaintext.
  • Extract the admin token from the /debug/vars response body using the regex pattern 'token=([^"\]+)' and watch for subsequent requests carrying that value in the X-Dgraph-AuthToken header to admin-only endpoints.
  • This is a variant of the previously patched /debug/pprof/cmdline exposure; the incomplete fix only blocked /debug/pprof/cmdline while leaving /debug/vars (served via http.DefaultServeMux / expvar) accessible without authentication.
  • Shodan query 'Dgraph' can be used to identify internet-exposed Dgraph instances for proactive scanning.
  • ·Vulnerability only affects Dgraph versions up to and including 25.3.2; version 25.3.3 contains the fix. Confirm the running version before treating a /debug/vars response as exploitable.
  • ·The admin token is only present in /debug/vars output when Dgraph Alpha was started with the --security 'token=...' flag; instances not using token-based auth will not expose a usable credential even if the endpoint is reachable.
  • ·The endpoint is served on the Dgraph Alpha HTTP port (not a separate admin port); network-level blocking of /debug/vars is a viable compensating control until patching is possible.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.