CVE-2026-41492
Published: 24 April 2026
Summary
CVE-2026-41492 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Dgraph Dgraph. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the flaw through patching to Dgraph 25.3.3, which fully resolves the /debug/vars exposure.
Enforces secure configuration settings to avoid passing admin tokens via command-line flags and to disable or protect debug endpoints like /debug/vars from unauthorized access.
Requires enforcement of access controls on publicly accessible unauthenticated interfaces such as /debug/vars to prevent exposure of sensitive command-line information including admin tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated /debug/vars endpoint in a public-facing GraphQL database enables exploitation of a public-facing application (T1190) to expose and steal the admin token via command line arguments (T1212).
NVD Description
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker…
more
can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
Deeper analysisAI
CVE-2026-41492 affects Dgraph, an open source distributed GraphQL database, specifically versions prior to 25.3.3 in the Alpha component. The vulnerability involves the unauthenticated /debug/vars endpoint, which exposes the process command line. This endpoint serves data from expvar's http.DefaultServeMux, revealing sensitive information such as the admin token when it is supplied via the common --security "token=..." startup flag. Rated at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-200 (Exposure of Sensitive Information), it represents an incomplete fix for a prior /debug/pprof/cmdline issue.
An unauthenticated remote attacker can exploit this by accessing the /debug/vars endpoint to retrieve the exposed admin token from the command line. The attacker can then replay this token in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints, potentially allowing full compromise of the database including high-impact confidentiality, integrity, and availability violations.
The vulnerability is fixed in Dgraph version 25.3.3, as detailed in the release notes and GitHub security advisory GHSA-vvf7-6rmr-m29q. Security practitioners should upgrade to 25.3.3 or later and review configurations to avoid passing sensitive tokens via command-line flags.
Details
- CWE(s)