GHSA-VVF7-6RMR-M29Q

Vulnerability from github – Published: 2026-04-24 16:15 – Updated: 2026-05-04 20:08
VLAI
Summary
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
Details

Summary

Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints.

This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler.

Details

Alpha still exposes Go's default HTTP mux:

  • x/metrics.go
  • imports expvar
  • initializes Conf = expvar.NewMap("dgraph_config")
  • Go's expvar package automatically registers /debug/vars
  • expvar publishes:
  • cmdline = os.Args
  • memstats = runtime.Memstats

Alpha's HTTP handler explicitly blocks only the old CVE path:

  • dgraph/cmd/alpha/run.go
  • checks if r.URL.Path == "/debug/pprof/cmdline" and returns 404
  • otherwise falls through to http.DefaultServeMux.ServeHTTP(w, r)

Admin endpoints still trust the leaked token:

  • dgraph/cmd/alpha/admin.go
  • reads X-Dgraph-AuthToken
  • compares it to worker.Config.AuthToken

PoC

  1. Send an unauthenticated request to Alpha:
GET /debug/vars HTTP/1.1
Host: target:8080

  1. Parse the JSON response and read the cmdline field.

  2. Extract the admin token from the startup arguments, for example:

--security token=debug-vars-secret;
  1. Replay the token to an admin-only endpoint:
GET /admin/config/cache_mb HTTP/1.1
Host: target:8080
X-Dgraph-AuthToken: debug-vars-secret
  1. The request is accepted as an authorized admin request.

This was reproduced against dgraph/dgraph:v25.3.2 in Docker.

Observed behavior:

  • unauthenticated /debug/vars leaked the configured token
  • replaying the leaked token in X-Dgraph-AuthToken successfully accessed /admin/config/cache_mb
  • response body was:
4096

It was verified that the old CVE path appears specifically patched in the same version:

  • /debug/pprof/cmdline returned 404 Not Found
  • /debug/pprof/ remained reachable

Impact

Unauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access.

This enables privileged admin operations such as:

  • reading privileged admin configuration
  • mutating admin configuration
  • performing operational control actions gated by X-Dgraph-AuthToken

In deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.

Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph/v25"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph/v24"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "24.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T16:15:28Z",
    "nvd_published_at": "2026-04-24T19:17:14Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nDgraph `v25.3.2` still exposes the process command line through the unauthenticated `/debug/vars` endpoint on Alpha. Because the admin token is commonly supplied via the `--security \"token=...\"` startup flag, an unauthenticated attacker can retrieve that token and replay it in the `X-Dgraph-AuthToken` header to access admin-only endpoints.\n\nThis is a variant of the previously fixed `/debug/pprof/cmdline` issue, but the current fix is incomplete because it blocks only `/debug/pprof/cmdline` and still serves `http.DefaultServeMux`, which includes `expvar`\u0027s `/debug/vars` handler.\n\n### Details\nAlpha still exposes Go\u0027s default HTTP mux:\n\n- `x/metrics.go`\n  - imports `expvar`\n  - initializes `Conf = expvar.NewMap(\"dgraph_config\")`\n- Go\u0027s `expvar` package automatically registers `/debug/vars`\n- `expvar` publishes:\n  - `cmdline = os.Args`\n  - `memstats = runtime.Memstats`\n\nAlpha\u0027s HTTP handler explicitly blocks only the old CVE path:\n\n- `dgraph/cmd/alpha/run.go`\n  - checks `if r.URL.Path == \"/debug/pprof/cmdline\"` and returns `404`\n  - otherwise falls through to `http.DefaultServeMux.ServeHTTP(w, r)`\n\nAdmin endpoints still trust the leaked token:\n\n- `dgraph/cmd/alpha/admin.go`\n  - reads `X-Dgraph-AuthToken`\n  - compares it to `worker.Config.AuthToken`\n### PoC\n1. Send an unauthenticated request to Alpha:\n\n```http\nGET /debug/vars HTTP/1.1\nHost: target:8080\n```\n\n2. Parse the JSON response and read the `cmdline` field.\n\n3. Extract the admin token from the startup arguments, for example:\n\n```text\n--security token=debug-vars-secret;\n```\n\n4. Replay the token to an admin-only endpoint:\n\n```http\nGET /admin/config/cache_mb HTTP/1.1\nHost: target:8080\nX-Dgraph-AuthToken: debug-vars-secret\n```\n\n5. The request is accepted as an authorized admin request.\n\nThis was reproduced against `dgraph/dgraph:v25.3.2` in Docker.\n\nObserved behavior:\n\n- unauthenticated `/debug/vars` leaked the configured token\n- replaying the leaked token in `X-Dgraph-AuthToken` successfully accessed `/admin/config/cache_mb`\n- response body was:\n\n```text\n4096\n```\n\nIt was verified that the old CVE path appears specifically patched in the same version:\n\n- `/debug/pprof/cmdline` returned `404 Not Found`\n- `/debug/pprof/` remained reachable\n\n### Impact\nUnauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access.\n\nThis enables privileged admin operations such as:\n\n- reading privileged admin configuration\n- mutating admin configuration\n- performing operational control actions gated by `X-Dgraph-AuthToken`\n\nIn deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.",
  "id": "GHSA-vvf7-6rmr-m29q",
  "modified": "2026-05-04T20:08:42Z",
  "published": "2026-04-24T16:15:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41492"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dgraph-io/dgraph"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.