PatchSiren

centrifugal CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH centrifugal CVE published 2026-07-16

CVE-2026-62963

CVE-2026-62963 is a high-severity vulnerability affecting Centrifugo, an open-source scalable real-time messaging server. The issue arises from the unidirectional WebSocket transport with uni_websocket.compression enabled, which enforces uni_websocket.message_size_limit against compressed wire-frame length. However, ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenti [truncated]

HIGH centrifugal CVE published 2026-07-16

CVE-2026-49998

CVE-2026-49998 is a HIGH severity vulnerability in Centrifugo, an open-source scalable real-time messaging server. The dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer. This issue arises because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain [truncated]