Executive Summary

CVE-2026-11746 is a critical vulnerability in Central Dogma server versions prior to 0.84.0. It occurs when ZooKeeper replication is enabled but the operator does not set the replication.secret configuration. In this case, the server silently falls back to a hard-coded, publicly known secret "ch4n63m3" (leetspeak for "change me").

This default secret is used for both client-facing SASL authentication and inter-peer ZooKeeper quorum communication. Because the secret is publicly known and hard-coded, an attacker with network access to the quorum ports or local host access can authenticate as a super user.

This allows the attacker to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster, potentially compromising the entire Central Dogma cluster.

The vulnerability arises from three main issues: the hard-coded credential being publicly visible, the silent fallback to this default secret without warnings, and the reuse of the same secret for both client and quorum authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker with network or local access to fully compromise the Central Dogma cluster.

• Unauthorized reading of the full replication log, exposing sensitive data such as encryption keys, session tokens, and configuration changes.
• Ability to join the ZooKeeper quorum and execute arbitrary commands that are replicated across the entire cluster.
• Complete control over the Central Dogma cluster, affecting all microservices that rely on its configuration.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Central Dogma server is running a version prior to 0.84.0 and if ZooKeeper replication is enabled without a properly set replication.secret configuration.

Specifically, you can verify whether the default hard-coded secret "ch4n63m3" is being used, which indicates the vulnerability is present.

Commands to help detect this might include:

• Checking the Central Dogma server version: `centraldogma-server --version` or inspecting the deployed version.
• Reviewing the configuration files for the presence and value of `replication.secret`.
• Monitoring network traffic on ZooKeeper quorum ports to detect unauthorized authentication attempts using the default secret.
• Using network scanning or packet capture tools (e.g., tcpdump, Wireshark) to identify replication traffic that uses the known default secret.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade Central Dogma server to version 0.84.0 or later where the vulnerability is fixed.
• Ensure that the `replication.secret` configuration is explicitly set to a new, strong, random secret on every replica.
• Avoid relying on the default hard-coded secret by verifying that the system fails closed if the secret is missing or set to the legacy placeholder.
• Restrict network access to ZooKeeper quorum ports to trusted hosts only to reduce exposure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with network access to fully compromise the Central Dogma cluster by reading sensitive data such as encryption keys, session tokens, and configuration changes, as well as executing arbitrary commands across the cluster.

Such unauthorized access and potential data exposure can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over sensitive data confidentiality and integrity.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to the risk of unauthorized data disclosure and manipulation.

Useful 0 Not Useful 0