Description
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
Published: 2026-06-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The affected Git mirror client for Central Dogma fails to verify the SSH host key when retrieving repositories over git+ssh. An attacker who can intercept the SSH traffic is able to pose as the remote Git server and supply malicious content, thereby corrupting the mirrored repository. This flaw can lead to the insertion of unauthorized commits or the alteration of existing code, directly damaging code integrity and potentially enabling further exploitation.

Affected Systems

Vulnerability targets the centraldogma-server-mirror-git component of LY Corporation’s Central Dogma, affecting versions older than 0.84.0. No other products or versions are listed as impacted.

Risk and Exploitability

The issue carries a high CVSS score of 8.8 and is not listed in CISA’s KEV catalog. Because host key validation is missing, any network attacker who can observe or modify git+ssh traffic can exploit the flaw, and an attacker who controls the mirror destination can supply a poisoned repository without detection. Although EPSS data is unavailable, the practical exploitability is high for environments without adequate network isolation or host key checking.

Generated by OpenCVE AI on June 22, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Central Dogma to version 0.84.0 or later
  • Configure the git+ssh client to enforce host key verification, rejecting connections that do not match known keys
  • Isolate the Git mirror traffic by segmenting the network or routing it over a VPN to prevent on‑path interception

Generated by OpenCVE AI on June 22, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ly Corporation
Ly Corporation central Dogma
Vendors & Products Ly Corporation
Ly Corporation central Dogma

Mon, 22 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Central Dogma Git Mirror SSH Host Key Verification Missing Allowing Man‑in‑the‑Middle

Mon, 22 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Git Mirror SSH Host Key Verification Bypass Leading to Repository Compromise
Weaknesses CWE-295

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-322
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Git Mirror SSH Host Key Verification Bypass Leading to Repository Compromise
Weaknesses CWE-295

Mon, 22 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L'}


Subscriptions

Ly Corporation Central Dogma
cve-icon MITRE

Status: PUBLISHED

Assigner: LY-Corporation

Published:

Updated: 2026-06-22T16:29:43.057Z

Reserved: 2026-06-09T06:46:10.431Z

Link: CVE-2026-11745

cve-icon Vulnrichment

Updated: 2026-06-22T16:29:34.546Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:47Z

Weaknesses
  • CWE-322

    Key Exchange without Entity Authentication