CVE-2026-11746 | A vulnerability has been identified in centraldogma-server v… | CVSS 9.4 CRITICAL

Description

A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.

Metadata

CVE ID: CVE-2026-11746
State: PUBLISHED
Assigner: LY-Corporation
Reserved: 2026-06-09 06:48 UTC
Published: 2026-06-22 02:35 UTC
Last updated: 2026-06-22 02:35 UTC
Vendor / Product: LY Corporation / Central Dogma
Sources: cve.org · NVD

Severity & Metrics

9.4 CRITICAL CVSS 4.0

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products (1)

Vendor	Product	Platform	Versions
LY Corporation	Central Dogma	—	0.84.0 < *

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-798

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.4	CRITICAL	4.0	cna	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (1)

https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg