Golang/Github.com/Dgraph-Io/Dgraph/V25 | GitLab Advisory Database (GLAD)

Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints

An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from –security "token=…". This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in X-Dgraph-AuthToken.

Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization

The restoreTenant admin mutation is missing from the authorization middleware config (admin.go:499-522), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF.

Advisories for Golang/Github.com/Dgraph-Io/Dgraph/V25 package