Centrifugo

v6.8.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 7d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ably alternative eventsource grpc http-streaming http3

+13 more

messaging pubnub pusher real-time redis scalability server-sent-events socket-io sse streaming websocket websockets webtransport

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 7d

Scope the JWKS cache by resolved endpoint URL to fix GHSA-g6vg-wj8f-48cj vulnerability.

Why it matters: Severity 90 fixes a critical security issue (GHSA‑g6vg‑wj8f‑48cj) that could expose unauthorized key data; immediate mitigation required for any deployment using JWKS caching.

Summary

AI summary

Updates Miscellaneous, https://github.com/centrifugal/centrifugo/pull/1136, and https://github.com/centrifugal/centrifugo/pull/1137 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Scope JWKS cache by resolved endpoint URL, fixing GHSA-g6vg-wj8f-48cj vulnerability. Scope JWKS cache by resolved endpoint URL, fixing GHSA-g6vg-wj8f-48cj vulnerability. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Add envconfig tags to NATS JetStream, Redis Streams, and Azure Service Bus consumer configs for environment variable configuration. Add envconfig tags to NATS JetStream, Redis Streams, and Azure Service Bus consumer configs for environment variable configuration. Source: llm_adapter@2026-05-27 Confidence: high	—
Dependency	Low	Built with Go 1.26.3; includes general dependency updates. Built with Go 1.26.3; includes general dependency updates. Source: llm_adapter@2026-05-27 Confidence: high	—
Deprecation	Medium	Deprecate Prometheus summary metrics; native histograms now preferred. Deprecate Prometheus summary metrics; native histograms now preferred. Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Prevent unnecessary Kafka consumer rebalances by avoiding client re‑initialization on retriable fetch errors. Prevent unnecessary Kafka consumer rebalances by avoiding client re‑initialization on retriable fetch errors. Source: llm_adapter@2026-05-27 Confidence: low	—
Bugfix	Low	Fix flaky integration tests. Fix flaky integration tests. Source: llm_adapter@2026-05-27 Confidence: high	—

Full changelog

Centrifugo is an open-source scalable real-time messaging server. Centrifugo can instantly deliver messages to application online users connected over supported transports (WebSocket, HTTP-streaming, Server-Sent Events (SSE/EventSource), GRPC, WebTransport). Centrifugo has the concept of a channel – so it's a user-facing PUB/SUB server.

Centrifugo is language-agnostic and can be used to build chat apps, live comments, multiplayer games, real-time data visualizations, collaborative tools, etc. in combination with any backend. It is well suited for modern architectures and allows decoupling the business logic from the real-time transport layer.

Several official client SDKs for browser and mobile development wrap the bidirectional protocol. In addition, Centrifugo supports a unidirectional approach for simple use cases with no SDK dependency.

For details, go to the Centrifugo documentation site.

What's changed

Improvements

Support Prometheus native histograms, see #1136. See in docs. Summaries are now DEPRECATED in Centrifugo. Metrics which only had summary now have histogram analogue exposed.
Kafka consumer: don't re-init the client on retriable fetch errors, see #1137. Should improve stability of consumer during temporary issues with Kafka and prevent unnecessary rebalances.

Fixes

Add missing envconfig tags to NATS JetStream consumer config so its fields can be configured via environment variables, see #1117 by @thuy-le-kafi. Also applied the same fix to the Redis Streams and Azure Service Bus consumer configs, which had the same gap.
Fix: Scope JWKS cache by resolved endpoint URL #1142. Fixes https://github.com/centrifugal/centrifugo/security/advisories/GHSA-g6vg-wj8f-48cj reported by @sondt99
Fix a bunch of flaky integration tests.

Miscellaneous

This release is built with Go 1.26.3
Dependency updates
See also the corresponding Centrifugo PRO release.

Breaking Changes

Prometheus summary metrics are DEPRECATED; use native histogram equivalents instead

Security Fixes

GHSA-g6vg-wj8f-48cj — Scope JWKS cache by resolved endpoint URL to fix a security advisory reported by @sondt99

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Centrifugo

Get notified when new releases ship.

About Centrifugo

Language-agnostic real-time messaging (Websocket or SockJS) server.

All releases →