CVE-2026-11748 · Symaro Security Advisory

Description

A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.

Severity (CVSS)

Base score	6.9
Severity	Medium
Version	CVSS 4.0
Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N
Provided by	CNA

Weaknesses

— CWE-90

Affected products

Vendor	Product	Versions
LY Corporation	Central Dogma	0.84.0 to <*

References

https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.