3 matches found
CVE-2026-49998 Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the JWKS key caching process. An attacker can gain unauthorized access to another issuer or tenant's resources by crafting a valid token for one allowed issuer and exploiting the cache...
get-jwks 安全漏洞
get-jwks is a Nearform open source utility for obtaining JWKS keys. A security vulnerability exists in get-jwks versions prior to 11.0.2, which stems from a cache poisoning issue in the JWKS key fetching mechanism that could lead to bypassing issuer authentication...