github.com/dgraph-io/dgraph/v25

CVE-2026-41492

CVE-2026-41492 is a critical-severity security vulnerability in github.com/dgraph-io/dgraph/v25 (go), affecting versions < 25.3.3. It is fixed in 25.3.3.

Key facts
CVSS score
9.8
Critical
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
github.com/dgraph-io/dgraph/v25
Fixed in
25.3.3
Disclosed
2026

Summary

Summary Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. Details Alpha still exposes Go's default HTTP mux: x/metrics.go imports expvar initializes Conf = expvar.NewMap("dgraphconfig") Go's expvar package automatically registers /debug/vars expvar publishes: cmdline = os.Args memstats = runtime.Memstats Alpha's HTTP handler explicitly blocks only the old CVE path: dgraph/cmd/alpha/run.go checks if r.URL.Path == "/debug/pprof/cmdline" and returns 404 otherwise falls through to http.DefaultServeMux.ServeHTTP(w, r) Admin endpoints still trust the leaked token: dgraph/cmd/alpha/admin.go reads X-Dgraph-AuthToken compares it to worker.Config.AuthToken PoC Send an unauthenticated request to Alpha: Parse the JSON response and read the cmdline field. Extract the admin token from the startup arguments, for example: Replay the token to an admin-only endpoint: The request is accepted as an authorized admin request. This was reproduced against dgraph/dgraph:v25.3.2 in Docker. Observed behavior: unauthenticated /debug/vars leaked the configured token replaying the leaked token in X-Dgraph-AuthToken successfully accessed /admin/config/cachemb response body was: It was verified that the old CVE path appears specifically patched in the same version: /debug/pprof/cmdline returned 404 Not Found /debug/pprof/ remained reachable Impact Unauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access. This enables privileged admin operations such as: reading privileged admin configuration mutating admin configuration performing operational control actions gated by X-Dgraph-AuthToken In deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.

Impact

Severity and exposure

CVE-2026-41492 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (25.3.3). Upgrading removes the vulnerable code path.

Affected versions

go

  • github.com/dgraph-io/dgraph/v25 (< 25.3.3)
  • github.com/dgraph-io/dgraph/v24 (<= 24.1.8)
  • github.com/dgraph-io/dgraph (<= 1.2.8)

Security releases

  • github.com/dgraph-io/dgraph/v25 → 25.3.3 (go)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's runtime-powered SCA identifies whether CVE-2026-41492 is reachable in your applications. Explore open-source security for your team.

See if CVE-2026-41492 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2026-41492 in your environment

Remediation advice

Upgrade github.com/dgraph-io/dgraph/v25 to 25.3.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2026-41492

What is CVE-2026-41492?

CVE-2026-41492 is a critical-severity security vulnerability in github.com/dgraph-io/dgraph/v25 (go), affecting versions < 25.3.3. It is fixed in 25.3.3.

How severe is CVE-2026-41492?

CVE-2026-41492 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which packages are affected by CVE-2026-41492?
  • github.com/dgraph-io/dgraph/v25 (go) (versions < 25.3.3)
  • github.com/dgraph-io/dgraph/v24 (go) (versions <= 24.1.8)
  • github.com/dgraph-io/dgraph (go) (versions <= 1.2.8)
Is there a fix for CVE-2026-41492?

Yes. CVE-2026-41492 is fixed in 25.3.3. Upgrade to this version or later.

Is CVE-2026-41492 exploitable, and should I be worried?

Whether CVE-2026-41492 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2026-41492 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2026-41492?

Upgrade github.com/dgraph-io/dgraph/v25 to 25.3.3 or later.

Stop the waste.
Protect your environment with Kodem.