Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars
A critical vulnerability, CVE-2026-41492, has been identified in Dgraph, an open-source distributed GraphQL database. The National Vulnerability Database reports that versions prior to 25.3.3 expose the process command line via the unauthenticated /debug/vars endpoint on Alpha. This is a significant issue because the administrative token is often passed as a startup flag (--security "token=...").
An unauthenticated attacker can retrieve this token, then replay it in the X-Dgraph-AuthToken header to gain full access to admin-only endpoints. This isn’t a new attack vector; it’s a variant of a previously fixed /debug/pprof/cmdline issue. The current fix is incomplete, as it only blocks the pprof endpoint but continues to serve http.DefaultServeMux, which includes expvar’s /debug/vars handler. The National Vulnerability Database assigns this a CVSS score of 9.8 (Critical).
This is a fundamental failure in protecting sensitive configuration data. The fix is available in Dgraph version 25.3.3. Defenders must prioritize patching this immediately, as exploitation requires no authentication and grants full administrative control over the database.
What This Means For You
- If your organization uses Dgraph, you need to immediately check your version. If it's prior to 25.3.3, you are exposed to unauthenticated administrative access. Patch to 25.3.3 without delay, and audit your Dgraph Alpha instances for any unauthorized access attempts to `/debug/vars` or administrative endpoints.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Dgraph Unauthenticated Admin Token Exposure via /debug/vars - CVE-2026-41492
title: Dgraph Unauthenticated Admin Token Exposure via /debug/vars - CVE-2026-41492
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
Detects unauthenticated GET requests to the /debug/vars endpoint on Dgraph Alpha instances. This endpoint can expose sensitive information like the admin token when it's passed via the --security "token=..." startup flag, allowing attackers to gain administrative access.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41492/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/debug/vars'
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41492 | Information Disclosure | Dgraph Alpha /debug/vars endpoint |
| CVE-2026-41492 | Auth Bypass | Dgraph versions prior to 25.3.3 |
| CVE-2026-41492 | Information Disclosure | Dgraph admin token exposed via process command line |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-04-24
12 vulnerability disclosures (3 Critical, 9 High) and 3 curated intelligence stories from 2 sources.
CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse
CVE-2026-41421 — SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer....
4ga Boards Path Traversal Vulnerability Exposes Local Files (CVE-2026-41419)
CVE-2026-41419 — 4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board...