Description
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
Published: 2026-06-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the Git mirror SSH client in Central Dogma does not verify remote host keys for git+ssh connections. As a result, an on‑path attacker can perform a man‑in‑the‑middle attack and intercept or modify the data exchanged during repository mirroring. The attacker could potentially alter the contents of the mirrored repository, insert malicious commits or otherwise compromise the integrity of the code base. While the CVE description does not explicitly state the exact manipulation possible, it is inferred that tampering could occur.

Affected Systems

Affected vendors and products: LY Corporation’s Central Dogma server. Versions prior to 0.84.0 of the centraldogma‑server‑mirror‑git component are vulnerable; no additional version information is provided.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity issue. The EPSS score is not available, but the lack of host key verification means that a network attacker who can intercept git+ssh traffic can exploit this flaw. The vulnerability is not listed in CISA’s KEV catalog. An attacker who can control the server Central Dogma contacts for mirroring can serve a malicious copy of the repository, effectively compromising repository integrity.

Generated by OpenCVE AI on June 22, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Central Dogma to version 0.84.0 or later
  • If an upgrade is not immediately feasible, configure SSH host key verification for all git+ssh mirroring operations, ensuring the client validates the server’s public key
  • Implement network segmentation or a VPN to isolate git traffic and prevent on‑path attackers from intercepting mirrored repository data

Generated by OpenCVE AI on June 22, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Git Mirror SSH Host Key Verification Bypass Leading to Repository Compromise
Weaknesses CWE-295

Mon, 22 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: LY-Corporation

Published:

Updated: 2026-06-22T02:33:08.952Z

Reserved: 2026-06-09T06:46:10.431Z

Link: CVE-2026-11745

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T04:30:16Z

Weaknesses
  • CWE-295

    Improper Certificate Validation