Centrifugo

Centrifugo is an open-source scalable real-time messaging server. Centrifugo can instantly deliver messages to application online users connected over supported transports (WebSocket, HTTP-streaming, Server-Sent Events (SSE/EventSource), GRPC, WebTransport). Centrifugo has the concept of a channel – so it's a user-facing PUB/SUB server.

Centrifugo is language-agnostic and can be used to build chat apps, live comments, multiplayer games, real-time data visualizations, collaborative tools, etc. in combination with any backend. It is well suited for modern architectures and allows decoupling the business logic from the real-time transport layer.

Several official client SDKs for browser and mobile development wrap the bidirectional protocol. In addition, Centrifugo supports a unidirectional approach for simple use cases with no SDK dependency.

For details, go to the Centrifugo documentation site.

What's changed

Improvements

• Kafka consumer now supports AWS STS AssumeRole for MSK IAM authentication via the new consumers[].kafka.assume_role_arn option, #1129 by @samir-is-here. When set together with sasl_mechanism: "aws-msk-iam", Centrifugo loads base credentials via the AWS SDK default credential chain and assumes the specified IAM role to obtain temporary credentials with automatically refreshed session tokens. This is useful for cross-account MSK access or when running Centrifugo with an EC2/EKS/ECS instance profile. Static sasl_user/sasl_password keys remain the default when assume_role_arn is empty. See documentation.

Fixes

• CI fix: set LocalStack image version to 4.14 in development setup, #1119.

Miscellaneous

• This release is built with Go 1.26.2
• Dependency updates
• See also the corresponding Centrifugo PRO release.

Centrifugo is an open-source scalable real-time messaging server. Centrifugo can instantly deliver messages to application online users connected over supported transports (WebSocket, HTTP-streaming, Server-Sent Events (SSE/EventSource), GRPC, WebTransport). Centrifugo has the concept of a channel – so it's a user-facing PUB/SUB server.

Centrifugo is language-agnostic and can be used to build chat apps, live comments, multiplayer games, real-time data visualizations, collaborative tools, etc. in combination with any backend. It is well suited for modern architectures and allows decoupling the business logic from the real-time transport layer.

Several official client SDKs for browser and mobile development wrap the bidirectional protocol. In addition, Centrifugo supports a unidirectional approach for simple use cases with no SDK dependency.

For details, go to the Centrifugo documentation site.

What's changed

This release contains breaking change to address CVE discovered in Dynamic JWKs endpoint feature. If you use that feature you need to update Centrifugo configuration. See fixes section for the details.

Improvements

• This release is the first built with Go 1.26. This version of the Go language includes a new garbage collector called the Green Tea garbage collector. This may affect the performance of your Centrifugo installation; in most cases, we expect the impact to be positive. If you notice any performance changes in Centrifugo after upgrading to this release, please let us know in the community rooms. More information about the new GC can be found here.
• Updated the Alpine image to 3.22 in the Dockerfile.
• Improve lint layout to improve local DX

Fixes

• CVE-2026-32301 Fixed SSRF vulnerability in Dynamic JWKS endpoint feature. When using JWKS endpoint URL templates with placeholders extracted from JWT claims via issuer_regex or audience_regex, an attacker could craft a JWT with malicious claim values to redirect JWKS key fetches to an attacker-controlled server, enabling token forgery. Action required: if you use dynamic JWKS endpoints, update your issuer_regex/audience_regex patterns so that named capture groups used in the JWKS URL template contain only an explicit list of allowed literal values (e.g., (?P<tenant>tenant1|tenant2|tenant3) instead of (?P<tenant>.+)). Centrifugo will now reject configurations where these groups allow arbitrary input. A temporary escape hatch client.token.insecure_skip_jwks_endpoint_safety_check option is available but will be removed in future releases. This security issue was reported by @VarshankNaik
• The Go version update (1.25.7 to 1.26.1) and update of Go x/net library allow inheriting fixes for several recently discovered CVE.

Miscellaneous

• This release is built with Go 1.26.1
• See also the corresponding Centrifugo PRO release.

Centrifugo is an open-source scalable real-time messaging server. Centrifugo can instantly deliver messages to application online users connected over supported transports (WebSocket, HTTP-streaming, Server-Sent Events (SSE/EventSource), GRPC, WebTransport). Centrifugo has the concept of a channel – so it's a user-facing PUB/SUB server.

Centrifugo is language-agnostic and can be used to build chat apps, live comments, multiplayer games, real-time data visualizations, collaborative tools, etc. in combination with any backend. It is well suited for modern architectures and allows decoupling the business logic from the real-time transport layer.

Several official client SDKs for browser and mobile development wrap the bidirectional protocol. In addition, Centrifugo supports a unidirectional approach for simple use cases with no SDK dependency.

For details, go to the Centrifugo documentation site.

What's changed

Fixes

• Transport write must return after data written #1106. This was noticed in CI after a pull request made by @phront3nd3r. This is a regression from v6.6.0 due to malformed buffer reuse in WriteManyFn callback of client writer. This resulted into broken data written into connection – thus connection issues. The problem was reproducing in HTTP Stream and SSE transports (bidirectional and unidirectional). WebSocket, Webtransport, uni GRPC were not affected because they already return once data is written into connection.

Miscellaneous

• This release is built with Go 1.25.7
• See also the corresponding Centrifugo PRO release.