CVE-2026-62963 is a high-severity vulnerability affecting Centrifugo, an open-source scalable real-time messaging server. The issue arises from the unidirectional WebSocket transport with uni_websocket.compression enabled, which enforces uni_websocket.message_size_limit against compressed wire-frame length. However, ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenti [truncated]
CVE-2026-49998 is a HIGH severity vulnerability in Centrifugo, an open-source scalable real-time messaging server. The dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer. This issue arises because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain [truncated]