Description
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
Published: 2026-06-22
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A default, publicly known secret is used by Central Dogma when ZooKeeper replication is enabled without a custom \"replication.secret\" value. This hard‑coded credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the entire replication log or participate in the quorum and execute arbitrary replicated commands. The flaw exploits a hard‑coded credential weakness (CWE‑798) and results in the compromise of confidentiality, integrity, and availability of the replicated data.

Affected Systems

LY Corporation Central Dogma versions prior to 0.84.0 that have ZooKeeper replication enabled without setting a replication.secret. The vulnerability applies to all releases before 0.84.0 when this configuration is used.

Risk and Exploitability

The CVSS score of 9.4 signals critical severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker who can reach the ZooKeeper or Central Dogma network is able to use the default secret to join the quorum and gain full control over replicated commands, effectively achieving remote code execution across the cluster.

Generated by OpenCVE AI on June 22, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Central Dogma to version 0.84.0 or later, which removes the hard‑coded secret
  • If an upgrade cannot be performed immediately, disable ZooKeeper replication or configure a unique replication.secret to prevent use of the default credential
  • Monitor the ZooKeeper cluster for unauthorized connections and ensure the replication.secret is not set to the default value

Generated by OpenCVE AI on June 22, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title ZooKeeper Replication Default Secret Exposes Full Replication Log and Arbitrary Command Execution
Weaknesses CWE-287
CWE-798

Mon, 22 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: LY-Corporation

Published:

Updated: 2026-06-22T02:35:51.201Z

Reserved: 2026-06-09T06:48:47.296Z

Link: CVE-2026-11746

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T05:00:06Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-798

    Use of Hard-coded Credentials