CVE-2026-11748

MEDIUM

Central Dogma < 0.84.0 - Unauthenticated LDAP Injection via SearchFirstActiveDirectoryRealm

Title source: llm
STIX 2.1

Description

A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.

Scores

CVSS v4 6.9
EPSS 0.0039
EPSS Percentile 30.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-90
Status published
Products (1)
LY Corporation/Central Dogma 0.84.0
Published Jun 22, 2026
Tracked Since Jun 22, 2026