Is github.com/centrifugal/centrifugo affected by GHSA-q926-c743-49qj#github.com/centrifugal/centrifugo?

Go github.com/centrifugal/centrifugo is affected in <=2.4.0.

Is GHSA-q926-c743-49qj#github.com/centrifugal/centrifugo being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

low

GHSA-q926-c743-49qj#github.com/centrifugal/centrifugo

Q: Is GHSA-q926-c743-49qj#github.com/centrifugal/centrifugo being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

Go · github.com/centrifugal/centrifugo

Summary

Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning

Severity: low
Also known as: GO-2026-4703
Published: 2026-03-13

References

https://github.com/centrifugal/centrifugo/security/advisories/GHSA-q926-c743-49qj
https://github.com/centrifugal/centrifugo/commit/dab80fe3adfe0bbeca3bb3ea45e6d95df9f601a8
https://github.com/centrifugal/centrifugo

Related advisories

GHSA-q926-c743-49qj — medium · Go/github.com/centrifugal/centrifugo
CVE-2026-32301 — medium · Go/github.com/centrifugal/centrifugo
GHSA-j9wf-6r2x-hqmx — medium · Go/github.com/centrifugal/centrifugo

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.