CVE-2026-11746
Description
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<0.84.0+ 1 more
- (no CPE)range: <0.84.0
- (no CPE)range: <0.84.0
Patches
Vulnerability mechanics
Root cause
"Missing input validation in ZooKeeperReplicationConfig causes a silent fallback to a hard-coded, publicly known secret when replication.secret is not configured."
Attack vector
An attacker with network access to a Central Dogma replica can exploit the hard-coded ZooKeeper replication secret `ch4n63m3` (leetspeak for "change me") [ref_id=1]. The secret is silently substituted when the operator omits `replication.secret`, and it is used for both client-port super authentication and inter-peer quorum SASL. On the same host (Surface A), the attacker authenticates over SASL DIGEST-MD5 to the loopback-bound client port and reads the full replication log. On the inter-replica network (Surface B), the attacker can spin up a rogue ZooKeeper process with the same secret, join the quorum, receive all replicated commands in real time, and write forged entries that are auto-replayed across the cluster.
Affected code
The vulnerability resides in `ZooKeeperReplicationConfig.java` (line 53 constant `DEFAULT_SECRET = "ch4n63m3"` and lines 210–215 silent fallback in `secret()`) and in `ZooKeeperCommandExecutor.java` (lines 586–607 JAAS wiring that uses the same secret for both client and quorum SASL contexts). The embedded ZooKeeper class `EmbeddedZooKeeper` extends `QuorumPeer` and binds client ports to loopback but quorum/election ports to the configured host, exposing the inter-replica network.
What the fix does
The patch removes the `DEFAULT_SECRET` constant and the `firstNonNull(convertValue(...), DEFAULT_SECRET)` fallback in `ZooKeeperReplicationConfig.secret()`. Instead, the constructor validates that `replication.secret` is non-null and non-empty, explicitly rejects the legacy placeholder `ch4n63m3`, and enforces a minimum length of 32 characters. This makes the server fail closed at startup rather than silently falling back to a publicly known credential, eliminating both the client-port and quorum-port attack surfaces.
Preconditions
- configZooKeeper replication method must be enabled (replication.method set to ZOOKEEPER)
- configreplication.secret must be omitted or set to the legacy placeholder
- networkAttacker must have network access to the replica's loopback interface (Surface A) or to the inter-replica quorum/election ports (Surface B)
Reproduction
The advisory includes a working Python PoC using kazoo and pure-sasl that connects to 127.0.0.1:2381, authenticates as `super` with password `ch4n63m3` via SASL DIGEST-MD5, and reads entries from `/dogma/logs`. Setup requires editing `dogma.json` to enable ZOOKEEPER replication without setting `replication.secret`, then launching Central Dogma. The PoC is hardcoded to loopback and read-only.
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.