GO-2026-5872
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass in github.com/centrifugal/centrifugo
Details
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass in github.com/centrifugal/centrifugo
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for github.com/centrifugal/centrifugo (go modules). Pin to a known-safe version or switch to an alternative.
0 No fixed version published yet for github.com/centrifugal/centrifugo/v3 (go modules). Pin to a known-safe version or switch to an alternative.
0 No fixed version published yet for github.com/centrifugal/centrifugo/v4 (go modules). Pin to a known-safe version or switch to an alternative.
0 No fixed version published yet for github.com/centrifugal/centrifugo/v5 (go modules). Pin to a known-safe version or switch to an alternative.
0 Fixed in: 6.8.1 go get github.com/centrifugal/centrifugo/v6@v6.8.1