EXECUTIVE SUMMARY:
CVE-2026-49998 with a CVSS score of 8.2 is a high authentication bypass vulnerability affecting Centrifugo versions 2.4.0, 3.2.3, 4.1.5, 5.4.9, and 6.8.0 and earlier. The issue arises because the dynamic JSON Web Key Set (JWKS) cache keys validation requests solely by the `kid` parameter rather than the specific issuer or endpoint. In multi-issuer environments using dynamic JWKS endpoints, an attacker who can obtain or mint a valid token for one issuer can exploit this flaw if that issuer shares the same `kid` value with another target issuer and the relevant key is already cached. This allows the attacker to bypass authentication mechanisms and successfully verify connection or subscription tokens intended for a different, trusted issuer. Consequently, this leads to unauthorized cross-tenant access, potentially compromising data confidentiality and integrity by allowing malicious actors to impersonate legitimate users or access restricted resources. Exploitation requires the system to be configured with templated JWKS public endpoints derived from JWT claims, such as `iss` or `aud`.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49998 with a CVSS score of 8.2 is a high authentication bypass vulnerability affecting Centrifugo versions 2.4.0, 3.2.3, 4.1.5, 5.4.9, and 6.8.0 and earlier. The issue arises because the dynamic JSON Web Key Set (JWKS) cache keys validation requests solely by the `kid` parameter rather than the specific issuer or endpoint. In multi-issuer environments using dynamic JWKS endpoints, an attacker who can obtain or mint a valid token for one issuer can exploit this flaw if that issuer shares the same `kid` value with another target issuer and the relevant key is already cached. This allows the attacker to bypass authentication mechanisms and successfully verify connection or subscription tokens intended for a different, trusted issuer. Consequently, this leads to unauthorized cross-tenant access, potentially compromising data confidentiality and integrity by allowing malicious actors to impersonate legitimate users or access restricted resources. Exploitation requires the system to be configured with templated JWKS public endpoints derived from JWT claims, such as `iss` or `aud`.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-g6vg-wj8f-48cj