CVE-2026-41492
Published: 24 April 2026
Summary
CVE-2026-41492 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Dgraph Dgraph. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2026-41492 affects Dgraph, an open source distributed GraphQL database, specifically versions prior to 25.3.3 in the Alpha component. The vulnerability involves the unauthenticated /debug/vars endpoint, which exposes the process command line. This endpoint serves data from expvar's http.DefaultServeMux, revealing sensitive information such as the admin token when it is supplied via the common --security "token=..." startup flag. Rated at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-200 (Exposure of Sensitive Information), it represents an incomplete fix for a prior /debug/pprof/cmdline issue.
An unauthenticated remote attacker can exploit this by accessing the /debug/vars endpoint to retrieve the exposed admin token from the command line. The attacker can then replay this token in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints, potentially allowing full compromise of the database including high-impact confidentiality, integrity, and availability violations.
The vulnerability is fixed in Dgraph version 25.3.3, as detailed in the release notes and GitHub security advisory GHSA-vvf7-6rmr-m29q. Security practitioners should upgrade to 25.3.3 or later and review configurations to avoid passing sensitive tokens via command-line flags.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25599
Vulnerability details
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker…
more
can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated /debug/vars endpoint in a public-facing GraphQL database enables exploitation of a public-facing application (T1190) to expose and steal the admin token via command line arguments (T1212).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the flaw through patching to Dgraph 25.3.3, which fully resolves the /debug/vars exposure.
Enforces secure configuration settings to avoid passing admin tokens via command-line flags and to disable or protect debug endpoints like /debug/vars from unauthorized access.
Requires enforcement of access controls on publicly accessible unauthenticated interfaces such as /debug/vars to prevent exposure of sensitive command-line information including admin tokens.