GHSA-VVF7-6RMR-M29Q Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars

Summary Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the...

Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars

Summary Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the...

GHSA-95MQ-XWJ4-R47P Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints

Summary An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from --security "token=...". This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access ...