CRITICAL🇵🇱 Wersja polska

CVE-2026-41492

CVSS 9.8v3.1pub. 2026-04-24upd. 2026-04-28

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.

🤖 AI Analysis
How it works

Dgraph Alpha exposes the /debug/vars endpoint without any authentication, which is handled by the standard http.DefaultServeMux mechanism of the Go library (expvar). Since the administrative token is typically passed at application startup as a command-line argument (--security "token=..."), its value is visible in the data exposed by this endpoint. An attacker can read the token from the HTTP response and then use it in the X-Dgraph-AuthToken header to gain access to endpoints reserved exclusively for administrators. The previous patch only blocked the /debug/pprof/cmdline path, leaving /debug/vars unprotected.

Impact

An unauthenticated remote attacker can gain full administrative privileges to a Dgraph instance, leading to violation of confidentiality, integrity, and availability of data stored in the database.

Mitigation & patch

Dgraph should be updated to version 25.3.3, in which the vulnerability has been fixed. The patch is available in the GitHub repository at: https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3. As a temporary measure, until updating, consider blocking network access to the /debug/vars endpoint at the firewall or proxy level.

Who is affected

Dgraph (open source distributed GraphQL database) in all versions before 25.3.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dgraph

    APP
    Dgraph
    < 25.3.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-41327CRITICAL9.1PL ✓ten sam produkt

Dgraph — wstrzyknięcie zapytania DQL umożliwia nieautoryzowany odczyt danych

CVE-2026-41328CRITICAL9.1PL ✓ten sam produkt

DQL injection w Dgraph — nieuwierzytelniony pełny odczyt bazy danych

CVE-2026-40173CRITICAL9.4PL ✓ten sam produkt

Dgraph: ujawnienie tokenu admina przez niezabezpieczony endpoint /debug/pprof/cmdline

CVE-2026-34976CRITICAL10.0PL ✓ten sam produkt

Dgraph: nieuwierzytelniony dostęp do mutacji restoreTenant (SSRF, RCE danych)

CVE-2023-31135LOW3.3ten sam produkt

Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute forc...