An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from --security "token=...".
This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in X-Dgraph-AuthToken.
The behavior occurs entirely within core Alpha HTTP routing and does not require any external proxy, plugin, or non-core integration.
The core issue is not that admin token protection is absent, but that the protected secret is exposed in cleartext through an unauthenticated core debug endpoint.
Relevant code paths:
dgraph/cmd/alpha/run.go:17 imports net/http/pprof, which registers /debug/pprof/* handlers on the default mux.dgraph/cmd/alpha/run.go:533 uses http.Handle("/", audit.AuditRequestHttp(baseMux)), so default-mux handlers remain reachable.dgraph/cmd/alpha/admin.go:52 enforces admin token checks in adminAuthHandler for admin endpoints.dgraph/cmd/alpha/admin.go:74 shows /admin/config/cache_mb behind adminAuthHandler.Credential-exposure chain:
/debug/pprof/cmdline is reachable without authentication.adminAuthHandler when sent as X-Dgraph-AuthToken.Observed local evidence (safe validation):
GET /admin/config/cache_mb without token
Invalid X-Dgraph-AuthTokenGET /debug/pprof/cmdline without token
--security=token=TopSecretToken123;GET /admin/config/cache_mb with X-Dgraph-AuthToken: TopSecretToken123
25.3.2Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:L9.4/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L