CVE-2026-39972: CWE-1289: Improper Validation of Unsafe Equivalence in Input in dunglas mercure
CVE-2026-39972 is a high-severity vulnerability in dunglas mercure versions prior to 0. 22. 0. It involves improper validation of cache keys used in the TopicSelectorStore, where concatenation of topic selectors and topics with underscores can cause key collisions. This flaw allows an attacker who can subscribe or publish with crafted topic names to poison the cache, potentially bypassing authorization checks and causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The issue is fixed in version 0. 22. 0.
AI Analysis
Technical Summary
Mercure is a protocol designed for efficient data push to web clients. Before version 0.22.0, the TopicSelectorStore constructed cache keys by concatenating topic selectors and topics with an underscore separator. Since both components can contain underscores, different pairs could produce identical cache keys, leading to cache poisoning. An attacker with subscription or publishing capabilities can exploit this to bypass authorization on private updates, either exposing private data or disrupting delivery. This vulnerability is identified as CWE-1289 (Improper Validation of Unsafe Equivalence in Input) and has a CVSS 4.0 score of 7.1 (high severity). The vulnerability is resolved in mercure 0.22.0.
Potential Impact
The vulnerability allows unauthorized access to private updates or denial of delivery to authorized subscribers by exploiting cache key collisions in mercure versions before 0.22.0. This undermines the confidentiality and integrity of data pushed via the mercure protocol. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade mercure to version 0.22.0 or later, where this cache key collision vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.22.0, applying this official fix is the recommended remediation. No alternative mitigations are specified.
CVE-2026-39972: CWE-1289: Improper Validation of Unsafe Equivalence in Input in dunglas mercure
Description
CVE-2026-39972 is a high-severity vulnerability in dunglas mercure versions prior to 0. 22. 0. It involves improper validation of cache keys used in the TopicSelectorStore, where concatenation of topic selectors and topics with underscores can cause key collisions. This flaw allows an attacker who can subscribe or publish with crafted topic names to poison the cache, potentially bypassing authorization checks and causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The issue is fixed in version 0. 22. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mercure is a protocol designed for efficient data push to web clients. Before version 0.22.0, the TopicSelectorStore constructed cache keys by concatenating topic selectors and topics with an underscore separator. Since both components can contain underscores, different pairs could produce identical cache keys, leading to cache poisoning. An attacker with subscription or publishing capabilities can exploit this to bypass authorization on private updates, either exposing private data or disrupting delivery. This vulnerability is identified as CWE-1289 (Improper Validation of Unsafe Equivalence in Input) and has a CVSS 4.0 score of 7.1 (high severity). The vulnerability is resolved in mercure 0.22.0.
Potential Impact
The vulnerability allows unauthorized access to private updates or denial of delivery to authorized subscribers by exploiting cache key collisions in mercure versions before 0.22.0. This undermines the confidentiality and integrity of data pushed via the mercure protocol. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade mercure to version 0.22.0 or later, where this cache key collision vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.22.0, applying this official fix is the recommended remediation. No alternative mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-08T00:01:47.627Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7dc7c1cc7ad14daf451d5
Added to database: 4/9/2026, 5:06:04 PM
Last enriched: 4/9/2026, 5:20:58 PM
Last updated: 4/9/2026, 7:20:56 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.