PatchSiren cyber security CVE debrief
CVE-2026-62963 centrifugal CVE debrief
CVE-2026-62963 is a high-severity vulnerability affecting Centrifugo, an open-source scalable real-time messaging server. The issue arises from the unidirectional WebSocket transport with uni_websocket.compression enabled, which enforces uni_websocket.message_size_limit against compressed wire-frame length. However, ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This vulnerability is fixed in version 6.8.4. Users of Centrifugo, especially those who have enabled uni_websocket.compression, should be aware of this vulnerability and take immediate action to upgrade to version 6.8.4 or apply necessary patches.
- Vendor
- centrifugal
- Product
- centrifugo
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Centrifugo, especially those who have enabled uni_websocket.compression, should be aware of this vulnerability and take immediate action to upgrade to version 6.8.4 or apply necessary patches. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their deployments and plan for mitigation.
Technical summary
The vulnerability is caused by the lack of output cap in ReadMessage after decompression in Centrifugo's unidirectional WebSocket transport with uni_websocket.compression enabled. This allows unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. The issue is addressed in version 6.8.4. Affected users should upgrade to this version or later to mitigate the vulnerability.
Defensive priority
High
Recommended defensive actions
- Upgrade to Centrifugo version 6.8.4 or later
- Disable uni_websocket.compression if not required
- Monitor and limit resource consumption by WebSocket connections
- Implement additional security measures to prevent unauthenticated requests
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T20:16:47.533Z and has not been modified since then. The NVD entry is currently 8.7 HIGH. Centrifugo versions prior to 6.8.4 are affected by this vulnerability, which is caused by the lack of output cap in ReadMessage after decompression in Centrifugo's unidirectional WebSocket transport. Users should verify their deployments and consider immediate action to upgrade to version 6.8.4 or apply necessary patches.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:47.533Z and has not been modified since then.