Skip to main content

CVE-2026-39972

| EUVDEUVD-2026-20967 HIGH
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2026-04-08 https://github.com/dunglas/mercure GHSA-hwr4-mq23-wcv5
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 14:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 14:45 euvd
EUVD-2026-20967
Analysis Generated
Apr 09, 2026 - 14:45 vuln.today
Patch released
Apr 09, 2026 - 14:45 nvd
Patch available
CVE Published
Apr 08, 2026 - 19:53 nvd
HIGH 7.1

DescriptionGitHub Advisory

Impact

A cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones.

The cache key was constructed by concatenating the topic selector and topic with an underscore separator:

go
k = "m_" + topicSelector + "_" + topic

Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key:

selector="foo_bar"  topic="baz"     → key: "m_foo_bar_baz"
selector="foo"      topic="bar_baz" → key: "m_foo_bar_baz"

An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates.

Patches

The vulnerability is fixed by replacing string-encoded cache keys with typed Go struct keys that are inherently collision-free:

go
type matchCacheKey struct {
    topicSelector string
    topic         string
}

The internal TopicSelectorStoreCache interface and sharded cache abstraction have also been removed in favor of a single typed otter cache.

Users should upgrade to version 0.22.0 or later.

Workarounds

Disable the topic selector cache by setting topic_selector_cache to -1 in the Caddyfile, or by passing a cache size of 0 when using the library directly. This eliminates the vulnerability at the cost of reduced performance.

AnalysisAI

Cache key collision in Mercure hub TopicSelectorStore enables authorization bypass through crafted topic names. Attackers can poison the match result cache by exploiting underscore-based key concatenation, causing private updates to be delivered to unauthorized subscribers or blocking legitimate deliveries. Affects Go package github.com/dunglas/mercure prior to version 0.22.0. Exploitation requires ability to subscribe to the hub or publish updates with specially crafted topic/selector combinations. No public exploit identified at time of analysis.

Technical ContextAI

CWE-1289 collision stems from string concatenation cache key generation (topicSelector + "_" + topic). Underscore separator creates ambiguity: "foo_bar"+"baz" and "foo"+"bar_baz" produce identical key "m_foo_bar_baz". Fix replaces string keys with typed Go struct keys containing separate topicSelector and topic fields, eliminating concatenation-based collisions. Otter cache implementation replaces sharded cache abstraction.

RemediationAI

Vendor-released patch: upgrade to Mercure version 0.22.0 or later, which implements collision-free typed struct cache keys. Commit 4964a69be904fd61e35b5f1e691271663b6fdd64 contains the fix. Release available at https://github.com/dunglas/mercure/releases/tag/v0.22.0. Workaround for unpatched systems: disable topic selector cache by setting topic_selector_cache to -1 in Caddyfile configuration, or pass cache size 0 when using the library directly. This eliminates vulnerability but degrades performance. Vendor advisory: https://github.com/dunglas/mercure/security/advisories/GHSA-hwr4-mq23-wcv5

Share

CVE-2026-39972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy