SB2026062318 - Multiple vulnerabilities in Central Dogma
Published: June 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) LDAP injection (CVE-ID: CVE-2026-11748)
CWE-ID: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication controls and evade audit logging.
The vulnerability exists due to LDAP injection in SearchFirstActiveDirectoryRealm.findUserDn() when processing a user-supplied username in an LDAP search filter. A remote attacker can submit a specially crafted username to bypass authentication controls and evade audit logging.
Only deployments that use the opt-in Active Directory search-first realm are vulnerable; the shipped DefaultLdapRealm example configuration is not affected.
2) Use of hard-coded credentials (CVE-ID: CVE-2026-11746)
CWE-ID: CWE-798 - Use of Hard-coded Credentials
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to join the embedded ZooKeeper quorum, read replication logs, and execute arbitrary commands across the cluster.
The vulnerability exists due to use of hard-coded credentials in ZooKeeperReplicationConfig.secret() and the embedded ZooKeeper SASL configuration when ZooKeeper replication is enabled without replication.secret configured. A remote user can authenticate with the hard-coded secret and impersonate a peer or access the embedded ZooKeeper surfaces to join the embedded ZooKeeper quorum, read replication logs, and execute arbitrary commands across the cluster.
The issue applies when replication.method is set to ZOOKEEPER; standalone deployments using NONE are not affected. The same secret is used for both client-facing SASL and quorum or learner SASL contexts.
3) Key Exchange without Entity Authentication (CVE-ID: CVE-2026-11745)
CWE-ID: CWE-322 - Key Exchange without Entity Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to impersonate the remote git server and disclose sensitive information.
The vulnerability exists due to key exchange without entity authentication in SshGitMirror when establishing outbound SSH connections for git+ssh:// mirrors. A remote attacker can present an arbitrary SSH host key to impersonate the remote git server and disclose sensitive information.
The issue affects both local-to-remote and remote-to-local mirror directions, and successful exploitation can also cause Central Dogma to accept attacker-controlled commits that are propagated to downstream subscribers.
Remediation
Install update from vendor's website.
References
- https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75
- https://github.com/line/centraldogma/commit/d64a5151
- https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg
- https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3
- https://github.com/line/centraldogma/blob/d64a5151/server-mirror-git/src/main/java/com/linecorp/centraldogma/server/internal/mirror/SshGitMirror.java#L143-L160