Launch Week Day 1: Announcing Security Design Review
Start for Free
CRITICAL 9.8 Go

Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars

GHSA-vvf7-6rmr-m29q · CVE-2026-41492

Published · Modified

Description

Summary

Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints.

This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler.

Details

Alpha still exposes Go's default HTTP mux:

  • x/metrics.go
    • imports expvar
    • initializes Conf = expvar.NewMap("dgraph_config")
  • Go's expvar package automatically registers /debug/vars
  • expvar publishes:
    • cmdline = os.Args
    • memstats = runtime.Memstats

Alpha's HTTP handler explicitly blocks only the old CVE path:

  • dgraph/cmd/alpha/run.go
    • checks if r.URL.Path == "/debug/pprof/cmdline" and returns 404
    • otherwise falls through to http.DefaultServeMux.ServeHTTP(w, r)

Admin endpoints still trust the leaked token:

  • dgraph/cmd/alpha/admin.go
    • reads X-Dgraph-AuthToken
    • compares it to worker.Config.AuthToken

PoC

  1. Send an unauthenticated request to Alpha:
GET /debug/vars HTTP/1.1
Host: target:8080

  1. Parse the JSON response and read the cmdline field.

  2. Extract the admin token from the startup arguments, for example:

--security token=debug-vars-secret;
  1. Replay the token to an admin-only endpoint:
GET /admin/config/cache_mb HTTP/1.1
Host: target:8080
X-Dgraph-AuthToken: debug-vars-secret
  1. The request is accepted as an authorized admin request.

This was reproduced against dgraph/dgraph:v25.3.2 in Docker.

Observed behavior:

  • unauthenticated /debug/vars leaked the configured token
  • replaying the leaked token in X-Dgraph-AuthToken successfully accessed /admin/config/cache_mb
  • response body was:
4096

It was verified that the old CVE path appears specifically patched in the same version:

  • /debug/pprof/cmdline returned 404 Not Found
  • /debug/pprof/ remained reachable

Impact

Unauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access.

This enables privileged admin operations such as:

  • reading privileged admin configuration
  • mutating admin configuration
  • performing operational control actions gated by X-Dgraph-AuthToken

In deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes