CVE Catalog

CVE-2026-11746

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble.

Risk Assessment

An attacker with network access can read the full replication log or join the quorum, allowing them to execute arbitrary replicated commands across the cluster. This poses a serious threat to the integrity and confidentiality of data.

Recommendation

It is recommended to upgrade to centraldogma-server version 0.84.0 or later and configure replication.secret to avoid using the default secret.

Original NVD description (English source)

A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS