CVE-2026-39972 Mercure — Exploit & Vulnerability Details HIGH

Parameter	Value
CVSS	7.1 (HIGH)
Fixed In	0.22.0
Type	CWE-1289
Vendor	Mercure
Public PoC	No

Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The cache key was constructed by concatenating the topic selector and topic with an underscore separator.

Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key. An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates. This vulnerability is fixed in 0.22.0.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

None

No data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-1289

References 2

https://github.com/dunglas/mercure/commit/4964a69be904fd61e35b5f1e691271663b6fd…

security-advisories@github.com

https://github.com/dunglas/mercure/security/advisories/GHSA-hwr4-mq23-wcv5

security-advisories@github.com

Menu

CVE-2026-39972

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Menu

CVE-2026-39972

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Stay informed on cybersecurity