Description
Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The cache key was constructed by concatenating the topic selector and topic with an underscore separator. Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key. An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates. This vulnerability is fixed in 0.22.0.
Published: 2026-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass / Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A cache key collision exists in the TopicSelectorStore component of the Mercure protocol. The key is built by concatenating a topic selector with a topic using an underscore separator; because both strings can contain underscores, two distinct selector‑topic pairs can produce the same key. When this collision occurs, the match result cache can hold inaccurate data, enabling an attacker to have private updates delivered to unauthorized subscribers or to block delivery to authorized ones. This results in bypassing authorization checks and potentially exposing confidential information.

Affected Systems

All instances of Mercure by dunglas released before version 0.22.0 are affected. The two‑part key collision flaw does not discriminate between sub‑releases, so any hub running a pre‑0.22.0 release is vulnerable until the upgrade is applied.

Risk and Exploitability

The CVSS vector assigns a score of 7.1, indicating a medium severity vulnerability. EPSS data is not available, and the flaw is not listed in CISA’s KEV catalog. The likely attack vector is remote engagement through the hub’s subscription or publication endpoints, which an attacker can access over the network. Based on the description, it is inferred that an attacker must be able to send crafted subscription requests or publish messages with specially formed topic selectors and topics containing underscores. Once such a collision is created, the bug can affect all users who interact with the hub, so the risk is notable for publicly exposed or poorly secured instances of Mercure.

Generated by OpenCVE AI on April 9, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mercure to version 0.22.0 or newer.
  • If an upgrade is delayed, isolate the hub to trusted networks and disable public subscription and publishing endpoints.
  • Validate or sanitize topic selector and topic inputs to prevent cache key collisions.
  • Monitor subscription and publication logs for anomalous patterns that may indicate attempted cache poisoning.

Generated by OpenCVE AI on April 9, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hwr4-mq23-wcv5 mercure has Topic Selector Cache Key Collision
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Dunglas
Dunglas mercure
Vendors & Products Dunglas
Dunglas mercure

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The cache key was constructed by concatenating the topic selector and topic with an underscore separator. Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key. An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates. This vulnerability is fixed in 0.22.0.
Title Mercure has a Topic Selector Cache Key Collision
Weaknesses CWE-1289
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Dunglas Mercure
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T18:59:49.306Z

Reserved: 2026-04-08T00:01:47.627Z

Link: CVE-2026-39972

cve-icon Vulnrichment

Updated: 2026-04-09T18:59:29.607Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T17:16:30.770

Modified: 2026-04-16T14:45:19.723

Link: CVE-2026-39972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:07Z

Weaknesses