CVE-2026-11746
CriticalCVSS 9.4Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble.
Risk Assessment
An attacker with network access can read the full replication log or join the quorum, allowing them to execute arbitrary replicated commands across the cluster. This poses a serious threat to the integrity and confidentiality of data.
Recommendation
It is recommended to upgrade to centraldogma-server version 0.84.0 or later and configure replication.secret to avoid using the default secret.
Original NVD description (English source)
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.

