Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-g6vg-wj8f-48cj | Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass |
Fri, 17 Jul 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Centrifugal
Centrifugal centrifugo |
|
| Vendors & Products |
Centrifugal
Centrifugal centrifugo |
Thu, 16 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain namespace, affecting client.token.jwks_public_endpoint, client.subscription_token.jwks_public_endpoint, internal/jwks/cache.go, and internal/jwks/manager.go. This issue is fixed in version 6.8.1. | |
| Title | Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass | |
| Weaknesses | CWE-347 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T11:13:39.150Z
Reserved: 2026-06-02T18:30:51.283Z
Link: CVE-2026-49998
Updated: 2026-07-17T11:13:34.674Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T20:30:05Z
Github GHSA