CVE-2026-11748 | THREATINT

Description

A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-22 | Updated 2026-06-22 | Assigner LY-Corporation

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-90

Product status

Default status

affected

0.84.0 (custom) before *

unaffected

References

github.com/...ldogma/security/advisories/GHSA-98q5-5qh2-7w75

cve.org (CVE-2026-11748)

nvd.nist.gov (CVE-2026-11748)

Download JSON