Executive Summary

CVE-2026-11745 is a high-severity vulnerability in Central Dogma's Git mirror SSH client versions prior to 0.84.0. The vulnerability arises because the SSH client permanently disables verification of remote host keys for git+ssh:// connections. This means the client blindly trusts any host key presented by remote Git servers without validating them.

The root cause is that the server key verifier is configured to always return true, and fallback verification methods like known_hosts or ~/.ssh/config are disabled. There is no host-key pinning mechanism, so operators cannot enable proper verification.

As a result, an attacker with network access can impersonate a remote Git server by exploiting this lack of verification, enabling man-in-the-middle attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including the compromise of mirrored repositories. An attacker can exfiltrate sensitive data such as database credentials or API keys stored in these repositories.

Additionally, the attacker can inject malicious commits into downstream services that consume Central Dogma configurations, potentially causing further security breaches.

Credential theft is also possible, as mirror credentials like SSH keys or tokens can be captured and reused against the legitimate upstream server.

The vulnerability affects both confidentiality and integrity of the vulnerable system and any systems relying on it.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs because the Git mirror SSH client in centraldogma-server-mirror-git versions prior to 0.84.0 disables SSH host-key verification by always accepting any remote host key without validation.

To detect if your system is vulnerable, you should check the version of centraldogma-server-mirror-git installed and verify if the SSH host-key verification is disabled or bypassed in the SshGitMirror component.

Suggested commands include:

• Check the installed version of centraldogma-server-mirror-git: `centraldogma-server-mirror-git --version` or check package manager info.
• Inspect the configuration or source code for the presence of an always-true server key verifier or absence of host-key verification settings.
• Monitor network traffic for suspicious man-in-the-middle activity, such as unexpected SSH host keys or unusual SSH connection attempts to git+ssh:// endpoints.
• Use SSH debugging to check host key verification behavior, e.g., `GIT_SSH_COMMAND="ssh -v" git clone git+ssh://...` to observe if host keys are being verified.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading centraldogma-server-mirror-git to version 0.84.0 or later, where the vulnerability is fixed by adding an acceptedHostKeys field and implementing proper host-key verification.

Until you can upgrade, avoid using the vulnerable Git mirror SSH client for critical or sensitive repositories.

Additionally, restrict network access to trusted sources to reduce the risk of on-path attackers exploiting the vulnerability.

Consider implementing network-level protections such as ARP spoofing detection, DNS security measures, and monitoring for BGP hijacking attempts.

Use the provided admin tools (if available) to explicitly verify host keys and avoid implicit Trust On First Use (TOFU) behavior.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an on-path attacker to perform man-in-the-middle attacks, potentially leading to the exfiltration of mirrored repository contents, which may include sensitive information such as database credentials or API keys.

Such unauthorized access and data compromise could result in violations of data protection regulations like GDPR and HIPAA, which require the protection of sensitive and personal data against unauthorized access and breaches.

The compromise of confidentiality and integrity of data due to this vulnerability may therefore impact an organization's ability to comply with these common standards and regulations.

Useful 0 Not Useful 0