CVE-2026-11746 - Central Dogma ZooKeeper replication secret cluster takeover

CVE-2026-11746 affects centraldogma-server when ZooKeeper replication is enabled and replication.secret is left unset. Vulnerable releases silently fall back to a hard-coded, publicly known secret, which means a network-adjacent attacker that can reach the replication plane may authenticate to the embedded ZooKeeper ensemble, read replication traffic, or impersonate a peer and submit replicated commands across the cluster.

This is not just a dependency issue. Exposure exists only when the repository or deployment actually enables replication and leaves the secret implicit or defaulted.

When to use it

  • A repository deploys, builds, pins, or configures Central Dogma with ZooKeeper-backed replication, cluster mirroring, or peer replication enabled.
  • replication.secret is absent, inherited, placeholder-like, shared across environments, or sourced from unclear deployment defaults.
  • Replication or ZooKeeper ports are reachable from shared internal networks, Kubernetes clusters, service meshes, or non-peer workloads.
  • You need a bounded PR or triage note that upgrades Central Dogma, requires explicit secret wiring, and documents rotation/restart actions.

Inputs

  • Java/Maven/Gradle dependencies, Dockerfiles, images, Helm/K8s/Compose manifests, Terraform/Ansible, application configs, secret-store references, SBOMs, generated manifests, and runbooks.
  • Replication enablement, replication.secret source, ZooKeeper reachability, peer identity model, cluster/environment boundaries, audit log ownership, and rotation procedure.
  • Available dependency checks, config render/validation, chart tests, network policy checks, deployment diff, SBOM, and security scan commands.

Affected versions

Package Vulnerable versions Fixed versions
centraldogma-server < 0.84.0 0.84.0+

Indicator-of-exposure

  • The repository resolves centraldogma-server < 0.84.0.
  • Deployment enables ZooKeeper replication or cluster mirroring.
  • No explicit replication.secret is configured, or automation/templates rely on server defaults.
  • The replication or ZooKeeper ports are reachable from broader internal networks, shared clusters, or untrusted segments.

Quick checks:

rg -n "centraldogma|replication.secret|zookeeper|replication|mirror" .
rg -n "replication.secret" config* application*.yml application*.yaml application*.properties helm charts k8s deploy docker-compose*.yml

Windows:

rg -n "centraldogma|replication.secret|zookeeper|replication|mirror" .
rg -n "replication.secret" config* application*.yml application*.yaml application*.properties helm charts k8s deploy docker-compose*.yml

Do not validate exposure by attempting to join or manipulate a live quorum.

Remediation strategy

  • Upgrade centraldogma-server to 0.84.0+.
  • Set a unique explicit replication.secret in every environment; do not rely on defaults or inheritance.
  • Rotate any previously implicit or shared replication credential and redeploy every peer so old replicas cannot keep authenticating.
  • Restrict replication/ZooKeeper network reachability to intended peers only.
  • Review cluster audit logs, ZooKeeper connection history, and recent replication activity for unexpected peers or actions.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-11746 / GHSA-2j95-gqxf-v3vg, a critical Central
Dogma flaw where enabling ZooKeeper replication without an explicit
`replication.secret` causes a fallback to a public hard-coded secret. Produce
exactly one output:

- A reviewer-ready PR/change request that upgrades Central Dogma, pins an
  explicit replication secret, hardens deployment defaults, adds safe checks,
  and documents operator rotation steps, or
- TRIAGE.md if this repository does not control an affected Central Dogma
  runtime or replication configuration.

## Rules

- Scope only CVE-2026-11746 and directly related replication-secret,
  ZooKeeper, peer-authentication, and deployment-hardening paths.
- Treat secrets, replication logs, cluster membership, service credentials, and
  config repositories as sensitive.
- Do not generate or use a real production secret in the patch.
- Do not probe a live ZooKeeper quorum or attempt quorum joins.
- Do not auto-merge.

## Steps

1. Inventory every controlled Central Dogma dependency, image, chart, manifest,
   and configuration surface.
2. Resolve versions. Any `centraldogma-server < 0.84.0` is vulnerable.
3. Determine whether replication is enabled and where `replication.secret` is
   sourced from.
4. If this repository does not own the runtime or replication configuration,
   stop with `TRIAGE.md` naming the runtime owner and required fixed version.
5. Upgrade all controlled Central Dogma references to `0.84.0+`.
6. Add explicit configuration that requires `replication.secret` to be set from
   a secret store or deployment secret, never from a silent fallback.
7. Ensure examples, Helm values, manifests, and docs do not imply an empty or
   default replication secret is acceptable.
8. Add safe regression checks that fail config validation when replication is
   enabled without an explicit non-placeholder secret.
9. Add a PR body section named `CVE-2026-11746 operator actions` covering:
   - versions before and after;
   - whether replication was enabled;
   - where the secret now comes from;
   - secret rotation and peer restart requirements;
   - logs and artifacts operators should review for prior misuse.
10. Run relevant validation: dependency resolution, config rendering, tests,
    linting, and deployment diff checks.
11. Use PR title:
    `fix(sec): remediate Central Dogma replication secret fallback`.

## Stop conditions

- No controlled Central Dogma runtime exists.
- The repository cannot safely add secret wiring because secret management is
  owned elsewhere; document the ownership boundary in `TRIAGE.md`.
- Verification would require using live credentials or interacting with a live
  quorum.

Verification - what the reviewer looks for

  • No controlled deployment resolves centraldogma-server < 0.84.0.
  • Replication cannot be enabled without an explicit secret.
  • Default/example configs no longer normalize to an unsafe fallback.
  • Operator notes require credential rotation and peer restarts, not only a package bump.

Output contract

  • Reviewer-ready PR upgrading every controlled Central Dogma runtime to 0.84.0+ and refreshing images, manifests, generated reports, SBOMs, and runbooks.
  • Config validation or deployment policy proving replication cannot be enabled without an explicit non-placeholder secret from an approved secret store.
  • Operator notes for replication-secret rotation, peer restarts, ZooKeeper network restrictions, audit/log review, and stale credential cleanup.
  • TRIAGE.md when runtime ownership, secret management, cluster networking, or rotation authority is outside this repository.

Watch for

  • Upgrading Central Dogma but leaving old environment variables or Helm values unset.
  • Reusing the same replication secret across unrelated clusters or environments.
  • Forgetting to rotate credentials after the version bump.

References