Key Exchange without Entity Authentication in Central Dogma - CVE-2026-11745
Published: June 23, 2026
Vulnerability identifier: #VU135053
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-11745
CWE-ID: CWE-322
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LINE Corporation
Affected software:
Central Dogma
Central Dogma
Detailed vulnerability description
The vulnerability allows a remote attacker to impersonate the remote git server and disclose sensitive information.
The vulnerability exists due to key exchange without entity authentication in SshGitMirror when establishing outbound SSH connections for git+ssh:// mirrors. A remote attacker can present an arbitrary SSH host key to impersonate the remote git server and disclose sensitive information.
The issue affects both local-to-remote and remote-to-local mirror directions, and successful exploitation can also cause Central Dogma to accept attacker-controlled commits that are propagated to downstream subscribers.
How to mitigate CVE-2026-11745
Install security update from vendor's website.