Main Vulnerability Database Vulnerabilities #VU135052

Use of hard-coded credentials in Central Dogma - CVE-2026-11746

Published: June 23, 2026

Vulnerability identifier: #VU135052

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-11746

CWE-ID: CWE-798

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: LINE Corporation

Affected software:
Central Dogma

Detailed vulnerability description

The vulnerability allows a remote user to join the embedded ZooKeeper quorum, read replication logs, and execute arbitrary commands across the cluster.

The vulnerability exists due to use of hard-coded credentials in ZooKeeperReplicationConfig.secret() and the embedded ZooKeeper SASL configuration when ZooKeeper replication is enabled without replication.secret configured. A remote user can authenticate with the hard-coded secret and impersonate a peer or access the embedded ZooKeeper surfaces to join the embedded ZooKeeper quorum, read replication logs, and execute arbitrary commands across the cluster.

The issue applies when replication.method is set to ZOOKEEPER; standalone deployments using NONE are not affected. The same secret is used for both client-facing SASL and quorum or learner SASL contexts.

How to mitigate CVE-2026-11746

Install security update from vendor's website.

Use of hard-coded credentials in Central Dogma - CVE-2026-11746

Detailed vulnerability description

How to mitigate CVE-2026-11746

Sources

Please verify you're human