CVE-2026-39972
Mercure has a Topic Selector Cache Key Collision
In short
Mercure has a flaw in how it stores cached access decisions for private updates. An attacker can craft topic names that create the same cache entry as another topic, tricking the system into delivering private messages to unauthorized users or blocking legitimate ones.
Technical detail
A cache key collision in TopicSelectorStore occurs because topic selectors and topics are concatenated with underscore separators, allowing distinct pairs to produce identical keys. An authenticated attacker who can subscribe or publish can exploit this to poison the cache and bypass authorization checks on private updates, affecting confidentiality and availability.
Summary generated and translated by AI from the official description.
Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The cache key was constructed by concatenating the topic selector and topic with an underscore separator. Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key. An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates. This vulnerability is fixed in 0.22.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
dunglas · mercureWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →