{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41492", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T16:14:19.008Z", "datePublished": "2026-04-24T18:29:40.555Z", "dateUpdated": "2026-04-24T19:13:03.267Z"}, "containers": {"cna": {"title": "Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q"}, {"name": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3"}], "affected": [{"vendor": "dgraph-io", "product": "dgraph", "versions": [{"version": "< 25.3.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:29:40.555Z"}, "descriptions": [{"lang": "en", "value": "Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security \"token=...\" startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3."}], "source": {"advisory": "GHSA-vvf7-6rmr-m29q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T19:12:18.464706Z", "id": "CVE-2026-41492", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T19:13:03.267Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41492", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T16:14:19.008Z", "datePublished": "2026-04-24T18:29:40.555Z", "dateUpdated": "2026-04-24T19:13:03.267Z"}, "containers": {"cna": {"title": "Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q"}, {"name": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3"}], "affected": [{"vendor": "dgraph-io", "product": "dgraph", "versions": [{"version": "< 25.3.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:29:40.555Z"}, "descriptions": [{"lang": "en", "value": "Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security \"token=...\" startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3."}], "source": {"advisory": "GHSA-vvf7-6rmr-m29q", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41492", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T19:12:18.464706Z"}}}], "references": [{"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T19:11:18.951Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dgraph:dgraph:*:*:*:*:*:go:*:*", "matchCriteriaId": "03E6E13D-4051-49C6-BDFB-3B66E2002401", "versionEndExcluding": "25.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security \"token=...\" startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3."}], "id": "CVE-2026-41492", "lastModified": "2026-04-28T18:28:30.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T19:17:14.047", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.3.3)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "dgraph", "source": "cna", "vendor": "dgraph-io"}, "product": "dgraph", "vendor": "dgraph"}], "analysis": {"en": {"generated_at": "2026-04-28T13:36:58.324969+00:00", "value": {"mitigation_remediation": ["Upgrade Dgraph to version 25.3.3 or later, which removes the /debug/vars handler from the default HTTP multiplexer.", "Restrict network exposure of the Alpha API; place the /debug/vars endpoint behind an internal firewall or VPN and block access from untrusted networks.", "If upgrading is not yet possible, temporarily disable the /debug/vars handler (e.g., remove the expvar registration or patch the HTTP multiplexer to exclude the endpoint).", "Avoid passing the admin token via the command\u2011line flag; instead store it in a secure environment variable or secret store to reduce exposure in process listings."], "summary": {"action": "Apply Patch", "impact": "Unauthorized disclosure of admin token leading to authentication bypass"}, "threat_synthesis": {"affected_systems": "The issue affects installations of dgraph-io:dgraph versions prior to 25.3.3. Any deployment that has the /debug/vars path enabled and that supplies an admin token via the --security flag is vulnerable. The affected component is the Alpha API server, which serves the expvar metrics endpoint without authorization.", "description_and_impact": "Dgraph, an open\u2011source distributed GraphQL database, exposes the process command line through its unauthenticated /debug/vars endpoint on the Alpha API. The admin token is normally supplied via the --security \"token=...\" startup flag, so an attacker who reads /debug/vars can recover this token and reuse it in the X-Dgraph-AuthToken header to access privileged admin\u2011only endpoints. The flaw stems from an incomplete mitigation of a prior /debug/pprof/cmdline disclosure; the fix only blocked that handler and left the default HTTP multiplexer, which still serves the expvar /debug/vars endpoint. The vulnerability is a classic information\u2011leak (CWE-200) that can be turned into a full authentication bypass.", "risk_and_exploitability": "The CVSS score of 9.8 marks this as critical. The EPSS score of less than 1% indicates exploitation probability is currently very low, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known active exploitation. Nevertheless, an attacker who can reach the /debug/vars endpoint\u2014such as through an exposed localhost interface or misconfigured network\u2014can retrieve the admin token in one request, then replay it to any admin endpoint. The attack requires no authentication and can be performed entirely via HTTP GET, making it trivial in the correct environment."}}}}, "created": "2026-04-28T08:45:26.955015+00:00", "updated": "2026-04-28T13:45:06.135026+00:00", "vendors": ["dgraph", "dgraph$PRODUCT$dgraph"]}