CVE-2026-11748

An unauthenticated attacker sends a crafted username (e.g., `*`, `bob)(uid=alice`) in a POST to `/api/v1/login`. The username flows through Shiro's `UsernamePasswordToken` into `findUserDn()`, where it is substituted raw into the LDAP filter. Combined with `SearchControls.setCountLimit(1)`, a wildcard returns the first directory entry (often a privileged account), enabling authentication confusion. Filter metacharacters also enable audit log evasion and directory structure enumeration. The attack requires no prior account or MITM position.

The vulnerability resides in `SearchFirstActiveDirectoryRealm.findUserDn()` in `server-auth/shiro/src/main/java/com/linecorp/centraldogma/server/auth/shiro/realm/SearchFirstActiveDirectoryRealm.java` (lines 148–176). The method substitutes the user-supplied username into an LDAP search filter template (default `cn={0}`) using `replaceAll()` without escaping RFC 4515 filter metacharacters. A repository-wide search for any LDAP escape helper (`escapeLdap`, `encodeFilter`, `escapeFilter`, `ldapEscape`) returned zero hits.

The advisory prescribes adding an RFC 4515 §3 filter escape helper (`encodeLdapFilter`) that escapes `\`, `*`, `(`, `)`, and `\0` before substitution. The escaped value must be passed through `Matcher.quoteReplacement()` because the escape produces backslashes that `replaceAll()` would otherwise interpret as backreference groups. The advisory explicitly notes that the existing `loginNameNormalizer` (Unicode lowercase only) is insufficient for this defense.