CVE-2026-49998
Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
CVSS Score
8.2
EPSS Score
0.0%
EPSS Percentile
0th
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain namespace, affecting client.token.jwks_public_endpoint, client.subscription_token.jwks_public_endpoint, internal/jwks/cache.go, and internal/jwks/manager.go. This issue is fixed in version 6.8.1.
| CWE | CWE-347 |
| Vendor | centrifugal |
| Product | centrifugo |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for centrifugal centrifugo
Be the first to know when new high vulnerabilities affecting centrifugal centrifugo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
centrifugal / centrifugo
< 6.8.1
References
github.com: https://github.com/centrifugal/centrifugo/security/advisories/GHSA-g6vg-wj8f-48cj github.com: https://github.com/centrifugal/centrifugo/pull/1142 github.com: https://github.com/centrifugal/centrifugo/commit/15d785015c6f318c1b68ea40b813699c9f8bd2c4 github.com: https://github.com/centrifugal/centrifugo/releases/tag/v6.8.1