Home/ Blog/ Security news/ Article
Blog · Security news

Run Central Dogma across servers? It may be guarding your config with a password printed in its source code

Central Dogma before 0.84.0 silently uses a public default secret when ZooKeeper replication runs without one set, letting nearby attackers seize the cluster.

Isometric ring of linked server nodes around a single glowing central token
By Noam Alum · ·Security news · 4 min read Mitigate now

If you run Central Dogma across more than one server, check one setting before you finish this paragraph. Versions before 0.84.0 can guard the entire cluster with a password that is printed in the project's own public source code, and they do it without telling you.

Central Dogma is an open-source service-configuration store from LY Corporation, the company behind the LINE messaging app. Teams use it to hold application settings and hand them out to running services. In its high-availability setup, several Central Dogma servers stay in sync through an embedded copy of ZooKeeper, the coordination service that keeps a cluster's nodes agreeing on shared state. That sync channel is meant to be locked with a secret you choose.

The flaw, tracked as CVE-2026-11746 and rated 9.4 out of 10, is about what happens when you never choose one. Rather than refuse to start, the server quietly drops in a built-in default: the string ch4n63m3, leetspeak for "change me." There is no warning, no log line, no startup error. LY Corporation's own security advisory confirms the value lives in the public repository, so anyone can read it.

Why a silent default is worse than a normal bug

A coding mistake is an accident you patch and move on from. A credential that switches itself on without a word is a design that turns one skipped configuration step into an open door. The operator who omits replication.secret gets a cluster that boots, passes health checks, and looks completely normal. Nothing signals that the lock is one everybody already has a key to. The insecure path is the frictionless one, which is exactly how these defaults survive for years.

Who is exposed, and from where

Two things have to be true. Replication has to be set to ZooKeeper mode, the usual choice for any production cluster, and replication.secret has to be empty or missing. A standalone, single-node install does not replicate and is not affected. The advisory lays out two routes in.

  • From the same machine. A local attacker can speak to the ZooKeeper port bound to localhost using the known secret and read the full sync log, which carries configuration data and key-management commands.
  • From a neighbor on the network. Where the cluster's coordination ports are reachable by other workloads, an attacker can pretend to be a peer, join the group, and push commands that every node then runs.

The severity vector marks this as an adjacent-network attack rather than an internet-wide one. That distinction comforts fewer people than it should. In a shared Kubernetes cluster, "adjacent" can mean a pod that belongs to a completely different team sitting one network hop away from your coordination ports. The blast radius the advisory describes is the whole group of replicas.

The part that should worry you most

Central Dogma can encrypt what it stores, and the commands that rotate its master encryption key travel through the same ZooKeeper channel this secret protects. Read the sync log and you can see that key-management traffic. The practical result: "our configuration is encrypted at rest" is not an answer to this problem. An attacker who joins the group can also inject commands that replicate to every node, so this is not only an exposure of data but a path to changing it across the cluster.

What to do now

Treat any cluster that ran without an explicit secret as already exposed, then work in this order.

  1. Upgrade to 0.84.0 or later. The fix deletes the built-in secret, demands an explicit value of at least 32 characters, refuses obvious placeholders, and fails to start if replication is on without one.
  2. Set replication.secret to a unique, random value and roll it out to every node.
  3. If you ever ran on the default, rotate the secret and assume the old one is public, because it always was.
  4. Audit the commands that moved through the cluster while the default was active, with extra attention to master-key rotation.
  5. Restrict network reach to the client and coordination ports so only cluster members can talk to them.

There is no gentle workaround on an unpatched version. Your only real interim choices are to turn ZooKeeper replication off entirely or to set a proper secret and rotate it, then upgrade as soon as you can.

The same story, a different name

We keep writing this post. A Squid proxy weakness leaked other users' credentials and the headline update did not close it. Gravity SMTP handed out live email API keys to anyone who asked. An authentication library let a stranger sign in with nothing but an email address. The pattern under all of them is the same: when the secret is the problem, the patch is only half the work. Patching removes the default. It cannot un-publish a value that sat in a public repository for as long as the feature existed. Rotate first, patch second, then go read what passed through your cluster while the door stood open.

Frequently asked questions

What is CVE-2026-11746 in Central Dogma?

CVE-2026-11746 is a critical flaw in Central Dogma, LY Corporation's open-source configuration store. When ZooKeeper replication runs without a configured replication.secret, the server silently falls back to a publicly known built-in secret, letting a network-adjacent attacker read the sync log or take over the cluster. It scores 9.4 out of 10.

Which Central Dogma versions are affected?

All Central Dogma server versions before 0.84.0 are affected, and 0.84.0 is the fix. The patched release removes the built-in secret, requires an explicit replication.secret of at least 32 characters, rejects placeholder values, and refuses to start if replication is enabled without one.

Am I affected if I run a single Central Dogma server?

No, a standalone single-node Central Dogma is not affected. The flaw only triggers when replication is set to ZooKeeper mode and replication.secret is left empty or unset. Installs that use no replication never load the vulnerable default secret.

Is patching enough to fix the hard-coded secret?

No, upgrading alone is not enough if you ever ran with the default. The built-in secret has been readable in the public source code, so treat it as compromised: set a unique secret, rotate it, and audit any replicated commands issued while the default was active.

Has CVE-2026-11746 been exploited in the wild?

No public in-the-wild exploitation was reported at disclosure on June 22, 2026. The vendor advisory does include a working proof-of-concept for the same-host attack and documents a second network-based path, so a usable technique is already public.

Keep reading
Security news

PaperCut's Windows print client can be tricked into giving a local attacker total control

CVE-2026-6645 lets a local attacker plant a file that PaperCut's Print Deploy client runs with full system rights on Windows. Update to version 1.10.4178.

Suriq's Jack · Jun 22, 2026
Security news

Your Squid proxy can leak other users' passwords, and the 7.6 update won't fix it

Squidbleed (CVE-2026-47729) leaks memory from Squid proxies in default config, including login credentials. A public exploit is out, and 7.6 does not patch it.

Noam Alum · Jun 22, 2026
Security news

That decade-old router you forgot is now scanning networks for attackers

A botnet called AryStinger hijacked over 4,300 end-of-life D-Link and Linksys routers into a distributed scanning grid for reconnaissance, not DDoS. What to do.

Suriq's Jack · Jun 21, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan