CVE-2026-39972

Name of the Vulnerable Software and Affected Versions Mercure versions prior to 0.22.0

Description A cache key collision in TopicSelectorStore could allow an attacker to poison the match result cache, potentially delivering private updates to unauthorized subscribers or blocking delivery to authorized ones. The cache key was constructed by concatenating the topic selector and topic with an underscore separator. Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key. An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates. The vulnerability is related to the construction of cache keys using string concatenation, specifically within the TopicSelectorStore component. The key was created using the following format: k = "m " + topicSelector + " " + topic. This method is susceptible to collisions when topic selectors and topics both contain underscores.

Recommendations Upgrade to version 0.22.0 or later. As a workaround, disable the topic selector cache by setting topic selector cache to -1 in the Caddyfile, or by passing a cache size of 0 when using the library directly.