PatchSiren cyber security CVE debrief
CVE-2026-49998 centrifugal CVE debrief
CVE-2026-49998 is a HIGH severity vulnerability in Centrifugo, an open-source scalable real-time messaging server. The dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer. This issue arises because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain namespace. The vulnerability affects client.token.jwks_public_endpoint, client.subscription_token.jwks_public_endpoint, internal/jwks/cache.go, and internal/jwks/manager.go. The issue is fixed in version 6.8.1.
- Vendor
- centrifugal
- Product
- centrifugo
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Centrifugo, especially those using dynamic JWKS endpoint verification for JWT validation, should be aware of this vulnerability. If Centrifugo is used in an environment where multiple issuers are configured, the risk of key reuse across issuers could lead to security issues. Upgrading to version 6.8.1 or later is recommended.
Technical summary
The vulnerability in Centrifugo's dynamic JWKS endpoint verification allows for key reuse across different issuers. This happens because the caching and lookup mechanisms for JWKS are not properly isolated by issuer, audience, or trust-domain namespace. Specifically, the implementation only considers the 'kid' (Key ID) from the JWT header, which is not sufficient for distinguishing between keys from different issuers or endpoints. This could lead to a situation where a JWT meant for one issuer could be verified with a key intended for another, potentially allowing unauthorized access or token forgery.
Defensive priority
High priority should be given to upgrading Centrifugo to version 6.8.1 or later. In the meantime, users should review their current configuration and usage of JWKS endpoint verification, especially in multi-issuer environments. Implementing additional monitoring or compensating controls to detect and prevent potential misuse of JWTs could be considered.
Recommended defensive actions
- Upgrade Centrifugo to version 6.8.1 or later.
- Review and adjust the configuration of dynamic JWKS endpoint verification.
- Implement additional monitoring for potential JWT misuse.
- Consider compensating controls for environments with multiple issuers.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. Additional details can be found in the Centrifugo commit, pull request, release, and security advisory on GitHub. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Users should verify the official Centrifugo documentation and security advisories for the most accurate and up-to-date information. The vulnerability affects client.token.jwks_public_endpoint, client.subscription_token.jwks_public_endpoint, internal/jwks/cache.go, and internal/jwks/manager.go. Dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain namespace.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:45.290Z and has not been modified since then.