Dgraph Unauthenticated Admin Token Disclosure via Debug Vars Endpoint

A vulnerability in Dgraph, an open-source distributed GraphQL database, allows unauthenticated access to the process command line through the /debug/vars endpoint on Alpha, prior to version 25.3.3. This exposure includes the admin token, which is typically passed via the --security 'token=...' startup flag. An unauthenticated attacker can retrieve this token and use it in the X-Dgraph-AuthToken header to access admin-only endpoints. This issue is a variant of a previously addressed vulnerability related to the /debug/pprof/cmdline endpoint, but the current fix is incomplete, as it only blocks the old CVE path while still serving the /debug/vars handler.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to obtain the Alpha admin token, bypassing authentication and gaining unauthorized administrative access. This access enables the execution of privileged admin operations, such as reading or modifying admin configuration and performing operational control actions that require admin privileges.

Reproduction

To reproduce this vulnerability, send an unauthenticated request to the Dgraph Alpha server's /debug/vars endpoint. The response will include the command line arguments, from which the admin token can be extracted. Once the token is obtained, it can be replayed in the X-Dgraph-AuthToken header when making a request to an admin-only endpoint, such as /admin/config/cache_mb. The response will confirm successful access by returning the cached memory configuration value.

Remediation

Users should update to Dgraph version 25.3.3 or later, where this vulnerability has been fixed.