CVE-2026-32301

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:centrifugal:centrifugo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-13 19:54

Updated : 2026-03-18 18:02

NVD link : CVE-2026-32301

Mitre link : CVE-2026-32301

CVE.ORG link : CVE-2026-32301

JSON object : View

Products Affected

centrifugal

centrifugo

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-32301", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2026-03-13T19:54:41.477", "references": [{"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0."}, {"lang": "es", "value": "Centrifugo es un servidor de mensajer\u00eda en tiempo real escalable de c\u00f3digo abierto. Antes de la versi\u00f3n 6.7.0, Centrifugo es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) cuando se configura con una URL de endpoint JWKS din\u00e1mica utilizando variables de plantilla (p. ej., {{tenant}}). Un atacante no autenticado puede crear un JWT con un valor de reclamaci\u00f3n 'iss' o 'aud' malicioso que se interpola en la URL de obtenci\u00f3n de JWKS antes de que se verifique la firma del token, lo que hace que Centrifugo realice una petici\u00f3n HTTP saliente a un destino controlado por el atacante. Esta vulnerabilidad se corrige en la versi\u00f3n 6.7.0."}], "lastModified": "2026-03-18T18:02:29.327", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:centrifugal:centrifugo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FFE4B883-6865-417B-B19A-92020BB6F2BB", "versionEndExcluding": "6.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}