PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62963 centrifugal CVE debrief

CVE-2026-62963 is a high-severity vulnerability affecting Centrifugo, an open-source scalable real-time messaging server. The issue arises from the unidirectional WebSocket transport with uni_websocket.compression enabled, which enforces uni_websocket.message_size_limit against compressed wire-frame length. However, ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This vulnerability is fixed in version 6.8.4. Users of Centrifugo, especially those who have enabled uni_websocket.compression, should be aware of this vulnerability and take immediate action to upgrade to version 6.8.4 or apply necessary patches.

Vendor
centrifugal
Product
centrifugo
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Centrifugo, especially those who have enabled uni_websocket.compression, should be aware of this vulnerability and take immediate action to upgrade to version 6.8.4 or apply necessary patches. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their deployments and plan for mitigation.

Technical summary

The vulnerability is caused by the lack of output cap in ReadMessage after decompression in Centrifugo's unidirectional WebSocket transport with uni_websocket.compression enabled. This allows unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. The issue is addressed in version 6.8.4. Affected users should upgrade to this version or later to mitigate the vulnerability.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Centrifugo version 6.8.4 or later
  • Disable uni_websocket.compression if not required
  • Monitor and limit resource consumption by WebSocket connections
  • Implement additional security measures to prevent unauthenticated requests
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T20:16:47.533Z and has not been modified since then. The NVD entry is currently 8.7 HIGH. Centrifugo versions prior to 6.8.4 are affected by this vulnerability, which is caused by the lack of output cap in ReadMessage after decompression in Centrifugo's unidirectional WebSocket transport. Users should verify their deployments and consider immediate action to upgrade to version 6.8.4 or apply necessary patches.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:47.533Z and has not been modified since then.