CVE-2026-41492: Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars

April 24, 2026 (updated May 4, 2026)

Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints.

This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar’s /debug/vars handler.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41492 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →