CVE-2026-41492

CRITICAL NVD

CVSS Score 9.8

Severity CRITICAL

Published Apr 24, 2026

Vendor unknown

Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.

References

https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3
https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q
https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q