HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11746Published Modified CNA LY-Corporation

CVE-2026-11746: A vulnerability has been identified in centraldogma-server versions prior to 0

A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
0.84.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects centraldogma-server versions prior to 0.84.0. When ZooKeeper replication is enabled without an explicit replication.secret configured, the server silently falls back to a hard-coded, publicly known secret, meaning any attacker with adjacent network access and no credentials can authenticate to the embedded ZooKeeper ensemble. Successful exploitation gives the attacker full read access to the replication log and the ability to join the quorum and execute arbitrary replicated commands across the entire cluster. A patched-image rebuild at version 0.84.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from centraldogma-server base layers.

Available
Triage

HarborGuard scores this finding at CVSS 9.4 Critical and weights it against each environment's compliance policy to determine urgency, then routes the alert to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild pinned to centraldogma-server 0.84.0 becomes available on HarborGuard as soon as the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on an adjacent network, such as a LAN, container overlay network, or VPN segment, to reach the ZooKeeper replication port; remote internet access alone is not sufficient.

  • AuthenticationNot required

    No credentials are needed because the hard-coded secret is publicly known, effectively eliminating the authentication barrier entirely.

  • Victim interactionNot required

    Exploitation is entirely attacker-driven and requires no action from any user or operator of the affected server.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental state are required.

Blast Radius

  • Attacker reads the full ZooKeeper replication log, exposing all replicated configuration entries and secrets stored in Central Dogma.
  • Attacker joins the ZooKeeper quorum and writes arbitrary replicated commands, modifying configuration data distributed to all nodes in the cluster.
  • Attacker disrupts quorum integrity, causing replication failures that crash or stall dependent services across the cluster.
  • Both the directly affected Central Dogma cluster (VC/VI/VA: High) and any downstream systems that consume its configuration (SC/SI/SA: High) are fully compromised.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11746 is active across all connected environments, matching any image that includes centraldogma-server prior to 0.84.0. For environments where a fix is applicable, a rebuilt image at version 0.84.0 is made available automatically. For customers with auto-remediation enabled, HarborGuard initiates the rebuild, executes the regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in those environments. For environments where auto-remediation is not enabled or where compliance policy requires manual review, the finding is surfaced in the HarborGuard dashboard with full CVSS context and routing to the designated team. As an interim compensating control, network policy rules that restrict access to ZooKeeper replication ports to explicitly trusted peers reduce the adjacent-network attack surface until the patched image is deployed.

See how HarborGuard automates this

Fix available

0.84.0
Affected packages
  • LY Corporation / Central Dogma
    Fixed in 0.84.0
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References