CVE-2026-41492
critical
CVSS v3
9.8
CVSS v2
—
VIR risk
9.8
Description
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security-advisories@github.com — https://github.com/dgraph-io/dgraph/security/advisories/GHSA-vvf7-6rmr-m29q
Vendor advisory: security-advisories@github.com — https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/dgraph-io/dgraph/v25 | <25.3.3 | 25.3.3 |
| Go | github.com/dgraph-io/dgraph/v24 | <=24.1.8 | |
| Go | github.com/dgraph-io/dgraph | <=1.2.8 | |
| GO | github.com/dgraph-io/dgraph | <= 1.2.8 | |
| GO | github.com/dgraph-io/dgraph/v24 | <= 24.1.8 | |
| GO | github.com/dgraph-io/dgraph/v25 | < 25.3.3 | 25.3.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| dgraph | dgraph | {"endExcluding":"25.3.3"} | 25.3.3 |
References
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.