CVE-2026-11746 · Symaro Security Advisory

Description

A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.

Severity (CVSS)

Base score	9.4
Severity	Critical
Version	CVSS 4.0
Vector	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Provided by	CNA

Weaknesses

— CWE-798

Affected products

Vendor	Product	Versions
LY Corporation	Central Dogma	0.84.0 to <*

References

https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.