Centrifugo's dynamic JWKS key cache keyed only by kid allows cross-issuer JWT authentication bypass in github.com/centrifugal/centrifugo
kid
{ "url": "https://pkg.go.dev/vuln/GO-2026-5872", "review_status": "UNREVIEWED" }
"https://vuln.go.dev/ID/GO-2026-5872.json"