Cyber Posture

CVE-2026-41492

CriticalPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker…

more

can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the flaw through patching to Dgraph 25.3.3, which fully resolves the /debug/vars exposure.

CM-6 Configuration Settings good match
prevent

Enforces secure configuration settings to avoid passing admin tokens via command-line flags and to disable or protect debug endpoints like /debug/vars from unauthorized access.

SC-14 Public Access Protections good match
prevent

Requires enforcement of access controls on publicly accessible unauthenticated interfaces such as /debug/vars to prevent exposure of sensitive command-line information including admin tokens.

Security SummaryAI

CVE-2026-41492 affects Dgraph, an open source distributed GraphQL database, specifically versions prior to 25.3.3 in the Alpha component. The vulnerability involves the unauthenticated /debug/vars endpoint, which exposes the process command line. This endpoint serves data from expvar's http.DefaultServeMux, revealing sensitive information such as the admin token when it is supplied via the common --security "token=..." startup flag. Rated at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-200 (Exposure of Sensitive Information), it represents an incomplete fix for a prior /debug/pprof/cmdline issue.

An unauthenticated remote attacker can exploit this by accessing the /debug/vars endpoint to retrieve the exposed admin token from the command line. The attacker can then replay this token in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints, potentially allowing full compromise of the database including high-impact confidentiality, integrity, and availability violations.

The vulnerability is fixed in Dgraph version 25.3.3, as detailed in the release notes and GitHub security advisory GHSA-vvf7-6rmr-m29q. Security practitioners should upgrade to 25.3.3 or later and review configurations to avoid passing sensitive tokens via command-line flags.

Details

CWE(s)
CWE-200

Affected Products

dgraph
dgraph
≤ 25.3.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
attack.mitre.org →
Why these techniques?

The unauthenticated /debug/vars endpoint in a public-facing GraphQL database enables exploitation of a public-facing application (T1190) to expose and steal the admin token via command line arguments (T1212).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References