๐Ÿ” CVE Alert

CVE-2026-49998

HIGH 8.2

Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass

CVSS Score
8.2
EPSS Score
0.0%
EPSS Percentile
0th

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain namespace, affecting client.token.jwks_public_endpoint, client.subscription_token.jwks_public_endpoint, internal/jwks/cache.go, and internal/jwks/manager.go. This issue is fixed in version 6.8.1.

CWE CWE-347
Vendor centrifugal
Product centrifugo
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for centrifugal centrifugo

Be the first to know when new high vulnerabilities affecting centrifugal centrifugo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

centrifugal / centrifugo
< 6.8.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/centrifugal/centrifugo/security/advisories/GHSA-g6vg-wj8f-48cj github.com: https://github.com/centrifugal/centrifugo/pull/1142 github.com: https://github.com/centrifugal/centrifugo/commit/15d785015c6f318c1b68ea40b813699c9f8bd2c4 github.com: https://github.com/centrifugal/centrifugo/releases/tag/v6.8.1