CVE-2026-11745

An on-path attacker on the corporate network (e.g., ARP spoofing, DNS poisoning, BGP hijack, or sidecar compromise in Kubernetes) can impersonate the remote Git server for any `git+ssh://` mirror connection. Because the SSH client accepts every host key without verification [ref_id=1], the attacker can intercept the SSH session, exfiltrate mirrored repository contents (including secrets), or inject arbitrary commits that Central Dogma then propagates to all subscribing microservices. No Central Dogma account is required—only network position.

The vulnerability resides in `server-mirror-git/src/main/java/com/linecorp/centraldogma/server/internal/mirror/SshGitMirror.java` (lines 143–160, especially line 149). The `createSshClient()` method installs an Apache MINA SSHD `ServerKeyVerifier` lambda that returns `true` unconditionally, and the surrounding lines disable `known_hosts` and `~/.ssh/config` fallbacks. No host-key pinning mechanism exists anywhere in the `server-mirror-git/` module.

The advisory recommends adding an `acceptedHostKeys` field to `SshKeyCredential` or `PasswordCredential`, replacing the accept-all lambda with a verifier that performs constant-time SHA-256 fingerprint comparison, and refusing to connect when the allowlist is empty (fail-closed). An optional admin tool for explicit trust-on-first-use is also suggested. No patch has been published yet; the advisory itself is the authoritative remediation guidance.