CVE-2026-49998
published 2026-07-01CVE-2026-49998: Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass #### Summary Centrifugo's dynamic JWKS endpoint feature…
high
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
#### Summary
Centrifugo's dynamic JWKS endpoint feature can verify a JWT for one allowed issuer using a public key cached from another allowed issuer. The JWKS cache and `singleflight` lookup are keyed only by the JWT header `kid`, not by the resolved JWKS endpoint, issuer, audience, or other trust-domain namespace.
In a documented multi-issuer dynamic JWKS configuration, an attacker who can obtain or mint a valid token for issuer/tenant A can authenticate as issuer/tenant B if both JWKS documents use the same `kid` value and tenant A's key is cached first. This affects connection token verification and subscription token verification because both paths use the same JWKS verification manager.
#### Details
The vulnerable path is reachable when either of these shipped configuration options is set to a templated JWKS URL using values derived from JWT `iss` or `aud` claims:
- `client.token.jwks_public_endpoint`
- `client.subscription_token.jwks_public_endpoint`
Relevant shipped config fields are defined in `internal/configtypes/types.go:59-65`, mapped into verifier configuration in `internal/confighelpers/jwt.go:36-41`, and exposed in the generated config schema at `internal/cli/configdoc/schema.json:3927`, `3947`, `3967`, `3987`, `4069`, `4089`, `4109`, and `4129`. Dynamic JWKS endpoints based on `iss` and `aud` are documented in the project changelog at `CHANGELOG.md:107`.
External clients control JWT connection and subscription tokens:
- Connection tokens reach `VerifyConnectToken` from `internal/client/handler.go:350-352`.
- Normal subscription tokens reach `VerifySubscribeToken` from `internal/client/handler.go:769-775`.
- Subscription refresh tokens reach `VerifySubscribeToken` from `internal/client/handler.go:628-632`.
The verifier must parse token claims before signature verification to resolve the dynamic JWKS endpoint:
- `VerifyConnectToken` parses
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | centrifugal_centrifugo | 0 – 2.4.0 | — |
| github.com | centrifugal_centrifugo_v3 | 0 – 3.2.3 | — |
| github.com | centrifugal_centrifugo_v4 | 0 – 4.1.5 | — |
| github.com | centrifugal_centrifugo_v5 | 0 – 5.4.9 | — |
| github.com | centrifugal_centrifugo_v6 | >= 0 < 6.8.1 | 6.8.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-07-01
Published