CVE-2026-41492
Dgraph · Dgraph
Dgraph exposes sensitive process command-line arguments, including admin tokens, via an unauthenticated /debug/vars endpoint, allowing unauthorized administrative access.
Executive summary
A critical vulnerability in Dgraph allows unauthenticated attackers to steal administrative credentials through an exposed debug endpoint, leading to full system compromise.
Vulnerability
The vulnerability involves an information disclosure flaw where the process command line, containing sensitive security tokens, is exposed via the unauthenticated /debug/vars endpoint. An unauthenticated attacker can retrieve these tokens and replay them to gain administrative control over the database.
Business impact
The ability for an unauthenticated user to retrieve administrative tokens poses a severe risk to data integrity and confidentiality. With a CVSS score of 9.8, this flaw facilitates complete unauthorized administrative access, potentially leading to total database exfiltration, unauthorized configuration changes, and severe operational disruption.
Remediation
Immediate Action: Upgrade Dgraph instances to version 25.3.3 or later immediately to restrict access to the /debug/vars endpoint.
Proactive Monitoring: Review access logs for unusual requests to the /debug/vars path and monitor for unauthorized use of administrative tokens.
Compensating Controls: If immediate patching is not possible, implement network-level access controls to restrict access to the Alpha node's administrative ports to trusted management IPs only.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability represents a critical security oversight that allows for trivial credential theft. Organizations must prioritize the upgrade to 25.3.3 to close the unauthorized access vector provided by the debug interface.