CVE-2026-11748
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters.
Risk Assessment
An unauthenticated attacker can manipulate the filter, leading to authentication confusion and allowing enumeration of the directory structure.
Recommendation
It is recommended to upgrade to version 0.84.0 or later to mitigate this vulnerability.
Original NVD description (English source)
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.

