CVE-2026-41492

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.3

Description Dgraph exposes the process command line through the unauthenticated '/debug/vars' endpoint on Alpha. Since the admin token is often provided via the --security startup flag, an unauthenticated attacker can retrieve this token and use it in the X-Dgraph-AuthToken header to gain access to admin-only endpoints. This occurs because the system continues to serve the http.DefaultServeMux, which includes the expvar's '/debug/vars' handler.

Recommendations Update to version 25.3.3.