Dgraph, an open source distributed GraphQL database, has an unauthenticated credential disclosure vulnerability in versions prior to 25.3.2. The /debug/pprof/cmdline endpoint is accessible without authentication and reveals the full process command line, including the admin token passed via the --security "token=..." startup flag. An attacker can retrieve this token and reuse it in the X-Dgraph-AuthToken header to bypass admin token validation and access admin-only endpoints such as /admin/config/cache_mb. This grants unauthorized privileged administrative access, including configuration and operational control, on any deployment where the Alpha HTTP port is exposed to untrusted parties. The issue is resolved in version 25.3.2.

An attacker can obtain the admin token without authentication and use it to gain unauthorized administrative access to the Dgraph database. This allows the attacker to perform privileged actions such as changing configurations and controlling operational parameters, potentially compromising the integrity and availability of the database. The vulnerability has a CVSS score of 9.4 (critical), indicating high impact on confidentiality, integrity, and low impact on availability.

Upgrade Dgraph to version 25.3.2 or later, where this vulnerability is fixed. Until the upgrade is applied, restrict access to the Alpha HTTP port to trusted parties only to prevent unauthorized access to the vulnerable endpoint. Patch status is confirmed fixed in version 25.3.2.