CVE-2026-41492: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in dgraph-io dgraph
Dgraph versions prior to 25. 3. 3 expose sensitive information via an unauthenticated /debug/vars endpoint on the Alpha component. This exposure includes the process command line, which often contains the admin token passed as a startup flag. An attacker can retrieve this token and use it to access admin-only endpoints by replaying it in the X-Dgraph-AuthToken header. This vulnerability is a variant of a previously fixed issue but was incompletely remediated. The vulnerability is fixed in version 25. 3. 3.
AI Analysis
Technical Summary
Dgraph, an open source distributed GraphQL database, has a critical vulnerability (CVE-2026-41492) affecting versions before 25.3.3. The vulnerability arises because the /debug/vars endpoint on the Alpha server exposes the process command line without authentication. Since the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can extract this token from the exposed command line and use it to authenticate as an admin by including it in the X-Dgraph-AuthToken header. This issue is a variant of a previously fixed vulnerability related to /debug/pprof/cmdline, but the fix was incomplete as it only blocked that specific endpoint and did not disable /debug/vars, which is part of the default HTTP server mux. The vulnerability is addressed in Dgraph version 25.3.3.
Potential Impact
An unauthenticated attacker can obtain the admin token by accessing the exposed /debug/vars endpoint, allowing them to impersonate an administrator and access admin-only endpoints. This leads to a complete compromise of confidentiality, integrity, and availability of the affected Dgraph instance. The CVSS v3.1 score is 9.8 (critical), reflecting the high impact and ease of exploitation.
Mitigation Recommendations
This vulnerability is fixed in Dgraph version 25.3.3. Users should upgrade to version 25.3.3 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory content provided, but the description states the fix is included in 25.3.3. Until upgrading, restrict access to the /debug/vars endpoint and avoid passing sensitive tokens via command line flags if possible.
CVE-2026-41492: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in dgraph-io dgraph
Description
Dgraph versions prior to 25. 3. 3 expose sensitive information via an unauthenticated /debug/vars endpoint on the Alpha component. This exposure includes the process command line, which often contains the admin token passed as a startup flag. An attacker can retrieve this token and use it to access admin-only endpoints by replaying it in the X-Dgraph-AuthToken header. This vulnerability is a variant of a previously fixed issue but was incompletely remediated. The vulnerability is fixed in version 25. 3. 3.
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dgraph, an open source distributed GraphQL database, has a critical vulnerability (CVE-2026-41492) affecting versions before 25.3.3. The vulnerability arises because the /debug/vars endpoint on the Alpha server exposes the process command line without authentication. Since the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can extract this token from the exposed command line and use it to authenticate as an admin by including it in the X-Dgraph-AuthToken header. This issue is a variant of a previously fixed vulnerability related to /debug/pprof/cmdline, but the fix was incomplete as it only blocked that specific endpoint and did not disable /debug/vars, which is part of the default HTTP server mux. The vulnerability is addressed in Dgraph version 25.3.3.
Potential Impact
An unauthenticated attacker can obtain the admin token by accessing the exposed /debug/vars endpoint, allowing them to impersonate an administrator and access admin-only endpoints. This leads to a complete compromise of confidentiality, integrity, and availability of the affected Dgraph instance. The CVSS v3.1 score is 9.8 (critical), reflecting the high impact and ease of exploitation.
Mitigation Recommendations
This vulnerability is fixed in Dgraph version 25.3.3. Users should upgrade to version 25.3.3 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory content provided, but the description states the fix is included in 25.3.3. Until upgrading, restrict access to the /debug/vars endpoint and avoid passing sensitive tokens via command line flags if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T16:14:19.008Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebbba787115cfb68655cd3
Added to database: 4/24/2026, 6:51:19 PM
Last enriched: 5/1/2026, 8:41:42 PM
Last updated: 6/9/2026, 12:59:57 AM
Views: 107
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.