Executive Summary

CVE-2026-11748 is an LDAP injection vulnerability found in the SearchFirstActiveDirectoryRealm component of centraldogma-server-auth-shiro versions prior to 0.84.0.

The vulnerability occurs because the login username is directly inserted into an LDAP search filter without escaping special LDAP filter metacharacters like *, (, ), \, and NUL. This allows an unauthenticated attacker to manipulate the LDAP filter.

Exploitation can cause authentication confusion, audit log evasion, and directory enumeration by crafting malicious usernames that alter the LDAP query behavior.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts:

• Authentication confusion: An attacker can use wildcards to cause the system to authenticate as a privileged account if they know its password.
• Audit log evasion: Malformed LDAP filters are logged verbatim, breaking accountability and making it difficult to trace malicious activity.
• Directory enumeration: Attackers can infer the structure of the Active Directory, including user existence and group memberships, by using wildcards and timing analysis.

Overall, this can lead to unauthorized access, loss of audit integrity, and exposure of sensitive internal directory information.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability impacts compliance by undermining audit log integrity and accountability.

Specifically, malformed LDAP filters are logged verbatim, which can break compliance with standards such as SOX, PCI-DSS, and ISO 27001 that require reliable audit trails.

While GDPR and HIPAA are not explicitly mentioned, the exposure of directory structure and potential unauthorized access could lead to violations related to data protection and access controls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring login attempts to the Central Dogma server-auth-shiro component for unusual LDAP filter patterns or authentication confusion signs.

Specifically, look for login usernames containing LDAP filter metacharacters such as *, (, ), \, and NUL that are not properly escaped.

You can also analyze audit logs for malformed LDAP filters like 'bob)(uid=alice' that indicate possible injection attempts.

Network detection might involve capturing and inspecting login requests to the Central Dogma login page for suspicious usernames using tools like tcpdump or Wireshark.

• Use tcpdump or tshark to capture login traffic: tcpdump -i <interface> -A port <login_port> | grep -E 'username=\*|username=.*\(|username=.*\)'
• Search server logs for LDAP filter injection patterns: grep -E 'username=.*[\*\(\)\\]' /path/to/centraldogma/logs/*
• Monitor for authentication confusion by checking for successful logins with unusual usernames such as '*' or malformed inputs.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade centraldogma-server-auth-shiro to version 0.84.0 or later, where the vulnerability is fixed by properly escaping LDAP filter metacharacters in usernames.

If upgrading is not immediately possible, consider implementing input validation or filtering on the login username to reject or escape LDAP metacharacters such as *, (, ), \, and NUL.

Additionally, monitor and restrict network access to the Central Dogma login page to trusted users only, reducing exposure to unauthenticated attackers.

Review and enhance audit logging to detect and respond to suspicious login attempts that may indicate exploitation attempts.

Useful 0 Not Useful 0