cbcvebase.
CVE-2026-49998
published 2026-07-01

CVE-2026-49998: Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass #### Summary Centrifugo's dynamic JWKS endpoint feature…

high
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass #### Summary Centrifugo's dynamic JWKS endpoint feature can verify a JWT for one allowed issuer using a public key cached from another allowed issuer. The JWKS cache and `singleflight` lookup are keyed only by the JWT header `kid`, not by the resolved JWKS endpoint, issuer, audience, or other trust-domain namespace. In a documented multi-issuer dynamic JWKS configuration, an attacker who can obtain or mint a valid token for issuer/tenant A can authenticate as issuer/tenant B if both JWKS documents use the same `kid` value and tenant A's key is cached first. This affects connection token verification and subscription token verification because both paths use the same JWKS verification manager. #### Details The vulnerable path is reachable when either of these shipped configuration options is set to a templated JWKS URL using values derived from JWT `iss` or `aud` claims: - `client.token.jwks_public_endpoint` - `client.subscription_token.jwks_public_endpoint` Relevant shipped config fields are defined in `internal/configtypes/types.go:59-65`, mapped into verifier configuration in `internal/confighelpers/jwt.go:36-41`, and exposed in the generated config schema at `internal/cli/configdoc/schema.json:3927`, `3947`, `3967`, `3987`, `4069`, `4089`, `4109`, and `4129`. Dynamic JWKS endpoints based on `iss` and `aud` are documented in the project changelog at `CHANGELOG.md:107`. External clients control JWT connection and subscription tokens: - Connection tokens reach `VerifyConnectToken` from `internal/client/handler.go:350-352`. - Normal subscription tokens reach `VerifySubscribeToken` from `internal/client/handler.go:769-775`. - Subscription refresh tokens reach `VerifySubscribeToken` from `internal/client/handler.go:628-632`. The verifier must parse token claims before signature verification to resolve the dynamic JWKS endpoint: - `VerifyConnectToken` parses

Affected

5 ranges
VendorProductVersion rangeFixed in
github.comcentrifugal_centrifugo0 – 2.4.0
github.comcentrifugal_centrifugo_v30 – 3.2.3
github.comcentrifugal_centrifugo_v40 – 4.1.5
github.comcentrifugal_centrifugo_v50 – 5.4.9
github.comcentrifugal_centrifugo_v6>= 0 < 6.8.16.8.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.