CVE-2026-11748
MEDIUMCentral Dogma < 0.84.0 - Unauthenticated LDAP Injection via SearchFirstActiveDirectoryRealm
Title source: llmDescription
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
References (1)
Core 1
Scores
CVSS v4
6.9
EPSS
0.0039
EPSS Percentile
30.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-90
Status
published
Products (1)
LY Corporation/Central Dogma
0.84.0
Published
Jun 22, 2026
Tracked Since
Jun 22, 2026